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Abstract 

Decidability  of  definitional  equality  and  conversion  of  terms  into  canonical  form  play  a  central  role 
in  the  meta-theory  of  a  type-theoretic  logical  framework.  Most  studies  of  definitional  equality  are 
based  on  a  confluent,  strongly- normalizing  notion  of  reduction.  Coquand  has  considered  a  different 
approach,  directly  proving  the  correctness  of  a  practical  equivalence  algorithm  based  on  the  shape 
of  terms.  Neither  approach  appears  to  scale  well  to  richer  languages  with  unit  types  or  subtyping, 
and  neither  directly  addresses  the  problem  of  conversion  to  canonical  form. 

In  this  paper  we  present  a  new,  type-directed  equivalence  algorithm  for  the  LF  type  theory  that 
overcomes  the  weaknesses  of  previous  approaches.  The  algorithm  is  practical,  scales  to  more  ex¬ 
pressive  languages,  and  yields  a  new  notion  of  canonical  form  sufficient  for  adequate  encodings  of 
logical  systems.  The  algorithm  is  proved  complete  by  a  Kripke-style  logical  relations  argument 
similar  to  that  suggested  by  Coquand.  Crucially,  both  the  algorithm  itself  and  the  logical  relations 
rely  only  on  the  shapes  of  types,  ignoring  dependencies  on  terms. 
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1  Introduction 


At  present  the  mechanization  of  constructive  reasoning  relies  almost  entirely  on  type  theories  of 
various  forms.  The  principal  reason  is  that  the  computational  meaning  of  constructive  proofs  is  an 
integral  part  of  the  type  theory  itself.  The  main  computational  mechanism  in  such  type  theories  is 
reduction,  which  has  therefore  been  studied  extensively. 

For  logical  frameworks  the  case  for  type  theoretic  meta-languages  is  also  compelling,  since 
they  allow  us  to  internalize  deductions  as  objects.  The  validity  of  a  deduction  is  then  verified 
by  type-checking  in  the  meta-language.  To  ensure  that  proof  checking  remains  decidable  under 
this  representation,  the  type  checking  problem  for  the  meta-language  must  also  be  decidable.  To 
support  deductive  systems  of  practical  interest,  the  type  theory  must  support  dependent  types^  that 
is,  types  that  depend  on  objects. 

The  correctness  of  the  representation  of  a  logic  in  type  theory  is  given  by  an  adequacy  theorem 
that  correlates  the  syntax  and  deductions  of  the  logic  with  canonical  forms  of  suitable  type.  To 
establish  a  precise  correspondence,  canonical  forms  are  taken  to  be  /3-normal,  r?-long  forms.  In 
particular,  it  is  important  that  canonical  forms  enjoy  the  property  that  constants  and  variables  of 
higher  type  are  ^Tully  applied”  —  that  is,  each  occurrence  is  applied  to  enough  arguments  to  reach 
a  base  type. 

Thus  we  see  that  the  methodology  of  logical  frameworks  relies  on  two  fundamental  meta- 
theoretic  results:  the  decidability  of  type  checking,  and  the  existence  of  canonical  forms.  For 
many  type  theories  the  decidability  of  type  checking  is  easily  seen  to  reduce  to  the  decidability  of 
definitional  equality  of  types  and  terms.  Therefore  we  focus  attention  on  the  decision  problem  for 
definitional  equality  and  on  the  conversion  of  terms  to  canonical  form. 

Traditionally,  both  problems  have  been  treated  by  considering  normal  forms  for  /3,  and  possibly 
7/,  reduction.  If  we  take  definitional  equality  to  be  conversion,  then  its  decidability  follows  from 
confiuence  and  strong  normalization  for  the  corresponding  notion  of  reduction.  In  the  case  of 
/3-reduction  this  approach  to  deciding  definitional  equality  works  well,  but  for  /3?7-reduction  the 
situation  is  much  more  complex.  In  particular,  /3?7-reduction  is  confluent  only  for  well-typed  terms, 
and  subject  reduction  depends  on  strengthening,  which  is  difficult  to  prove  directly. 

These  technical  problems  with  ^7?-reduction  have  been  addressed  in  work  by  Salvesen  [Sal90], 
Geuvers  [Geu92]  and  later  with  a  different  method  by  Goguen  [Gog99],  but  nevertheless  several 
problems  remain.  First,  canonical  forms  are  not  fdrj-noTmal  forms  and  so  conversion  to  canonical 
form  must  be  handled  separately.  Second,  the  algorithms  implicit  in  the  reduction-based  accounts 
are  not  practical;  if  two  terms  are  not  definitionally  equal,  we  can  hope  to  discover  this  without 
reducing  both  to  normal  form.  Third,  the  approach  does  not  appear  to  scale  to  richer  theories  such 
as  those  including  unit  types  or  subtyping. 

These  problems  were  side-stepped  in  the  original  paper  on  the  LF  logical  framework  [HHP93] 
by  restricting  attention  to  /3-conversion  for  definitional  equality.  This  is  sufficient  if  we  also  restrict 
attention  to  //-long  forms  [FM90,  Cer96].  This  restriction  is  somewhat  unsatisfactory,  especially  in 
linear  variants  of  LF  [CP98]. 

More  recently,  77-expansion  has  been  studied  in  its  own  right,  using  modification  of  standard 
techniques  from  rewriting  theory  to  overcome  the  lack  of  strong  normalization  when  expansion  is 
not  restricted  [JG95,  Gha97].  In  the  dependently  typed  case,  even  the  definition  of  long  normal 
form  is  not  obvious  [DHW93]  and  the  technical  development  is  fraught  with  difficulties.  We  have 
not  been  able  to  reconstruct  the  proofs  in  [Gha97]  and  the  development  in  [Vir99]  relies  on  a 
complex  intermediate  system  with  annotated  terms. 

To  address  the  problems  of  practicality,  Coquand  suggested  abandoning  reduction-based  treat- 
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ments  of  definitional  equality  in  favor  of  a  direct  presentation  of  a  practical  equivalence  algo¬ 
rithm  [Coq91].  Coquand’s  approach  is  based  on  analyzing  the  “shapes”  of  terms,  building  in  the 
principle  of  extensionality  instead  of  relying  on  rj-reduction  or  expansion.  This  algorithm  improves 
on  reduction-based  approaches  by  avoiding  explicit  computation  of  normal  forms,  and  allowing  for 
early  termination  in  the  case  that  two  terms  are  determined  to  be  inequivalent.  However,  Co¬ 
quand’s  approach  does  not  address  the  problem  of  computing  canonical  forms,  nor  can  it  be  easily 
extended  to  richer  type  theories  such  as  those  with  unit  types.  In  both  cases  the  problem  can  be 
traced  to  the  reliance  on  the  shape  of  terms,  rather  than  on  their  classifying  types,  to  guide  the 
algorithm.  For  example,  if  x  and  y  are  two  variables  of  unit  type,  they  are  definitionally  equal,  but 
are  structurally  distinct;  moreover,  their  canonical  forms  would  be  the  sole  element  of  unit  type. 

In  this  paper  we  present  a  new  type-directed  algorithm  for  testing  equality  for  a  dependent  type 
theory  in  the  presence  of  /3  and  r?- conversion,  which  generalizes  the  algorithm  for  the  simply-typed 
case  in  [Pfe92].  We  prove  its  correctness  directly  via  logical  relations.  The  essential  idea  is  that  we 
can  erase  dependencies  when  defining  the  logical  relation,  even  though  the  domain  of  the  relation 
contains  dependently  typed  terms.  This  makes  the  definition  obviously  well-founded.  Moreover, 
it  means  that  the  type-directed  equality-testing  algorithm  on  dependently  tyi)ed  terms  requires 
only  simple  types.  Consequently,  transitivity  of  the  algorithm  is  an  easy  property,  which  we  were 
unable  to  obtain  without  this  simplifying  step.  Soundness  and  completeness  of  the  equality-testing 
algorithm  yields  the  decidability  of  the  type  theory  rather  directly. 

Another  advantage  of  our  approach  is  that  it  can  be  easily  adapted  to  support  adequacy  proofs 
using  a  new  notion  of  quasi- canonical  form.s.  that  is,  canonical  forms  without  type  labels  on  A- 
abstractions.  We  show  that  quasi-canonical  forms  of  a  given  type  are  sufficient  to  determine  the 
meaning  of  an  object,  since  the  type  labels  can  be  reconstructed  (up  to  definitional  equality)  from 
the  classifying  type.  Interestingly,  recent  research  on  dependently  typed  rewriting  [Vir99]  has  also 
isolated  equivalence  classes  of  terms  modulo  conversion  of  the  type  labels  as  a  critical  concept. 

While  it  is  beyond  the  scope  of  this  paper,  we  believe  our  construction  is  robust  with  respect 
to  extension  of  the  type  theory  with  products,  unit,  linearity,  subtyping  and  similar  corrq)licating 
factors.  The  reason  is  the  flexibility  of  type-directed  equality  in  the  simply-typed  case  and  the 
harmony  between  the  definition  of  the  logical  relation  and  the  algorithm,  both  of  which  are  based 
on  the  erased  types. 

Our  approach  is  similar  to  the  technique  of  typed  operational  semantics  of  Goguen  [Gog94, 
Gog99]  in  that  both  take  advantage  of  types  during  reduction.  However,  as  pointed  out  by 
Goguen  [Gog99],  the  development  of  the  complete  metatheory  of  the  LF  requires  the  use  of  an 
untyped  reduction  relation.  Our  techniques  avoid  this  entirely,  fulfilling  Goguen’s  conjecture  that 
a  complete  development  should  be  possible  without  resorting  to  untyped  methods. 

2  A  Variant  of  the  LF  Type  Theory 

Syntactically,  our  formulation  of  the  LF  type  theory  follows  the  original  proposal  by  Harper,  Honsell 
and  Plotkin  [HHP93],  except  that  we  omit  type- level  A-abstraction.  This  simplifies  the  proof  of 
the  soundness  theorem  considerably,  since  we  can  prove  the  injectivity  of  products  (Lemma  12)  at 
an  early  stage.  In  practice,  this  restriction  has  no  impact  since  types  in  normal  form  never  contain 
type-level  A-abstractions. 
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2.1  Syntax 


Kinds 

K 

type  |  I\.x:A.  K 

Families 

A 

a  1  1  na;:yli. -42 

Objects 

M 

::=  c  \  X  \  Xx:A.  M  \  Mi  M2 

Signatures 

S 

::=  •  1  Ti,a:K  \  ll,c\A 

Contexts 

r 

■|r,a;;A 

We  use  K  for  kinds,  A,  B,  C  for  type  families,  M,  AT,  O  for  objects,  F,  4^  for  contexts  and  S  for 
signatures.  We  also  use  the  symbol  ‘‘kind”  to  classify  the  valid  kinds.  We  consider  terms  that  differ 
only  in  the  names  of  their  bound  variables  as  identical.  We  write  [N/x]M,  [N/x]A  and  [N/x]K  for 
capture-avoiding  substitution.  Signatures  and  contexts  may  declare  each  constant  and  variable  at 
most  once.  For  example,  when  we  write  T^xiA  we  assume  that  x  is  not  already  declared  in  F.  If 
necessary,  we  tacitly  rename  x  before  adding  it  to  the  context  F. 

2.2  Substitutions 

In  the  logical  relations  argument,  we  require  a  notion  of  simultaneous  substitution. 

Substitutions  a  ::=  -{a^M/x 

We  assume  that  no  variable  is  defined  more  than  once  in  any  substitution  which  can  be  achieved 
by  appropriate  renaming  where  necessary.  We  do  not  develop  a  notion  and  theory  of  well-typed 
substitutions,  since  it  is  unnecessary  for  our  purposes.  However,  when  applying  a  substitution  a 
to  a  term  M  we  maintain  the  invariant  that  all  free  variables  in  M  occur  in  the  domain  of  cr,  and 
similarly  for  families  and  kinds. 

We  write  idp  for  the  identity  substitution  on  the  context  F.  We  use  the  notation  M[cr],  A[a] 
and  K[a]  for  the  simultaneous  substitution  by  a  into  an  object,  family,  or  kind.  It  is  defined  by 
simultaneous  induction  on  the  structure  of  objects,  families,  and  kinds. 


x[a\ 

=  M  wheieM/xina 

c[cr] 

=  c 

{Xx:A.  M)[a] 

=  \x:A[a].  M[a,x/x] 

(MAT)  [a] 

=  M[a]  iV’[(j] 

a[a] 

=  a 

iAM)[a] 

=  A[a]  M[(j] 

(Ha;: A.  B)[a] 

~  Ilx:A[a].  B[a^x/x] 

type[(7] 

=  type 

{Ux:A.  K)[o] 

“  Ylx:A[a],  K[a^x/x] 

Extending  the  substitution  a  to  (a,  x/x)  may  require  some  prior  renaming  of  the  variable  x  in  order 
to  satisfy  our  assumption  on  substitutions. 
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2.3  Judgments 

The  LF  type  theory  is  defined  by  the  following  judgments. 


h  E  sig¬ 
hs  r  ctx 

r  hs  M  :  A 

A:  K 

r  hs  X  :  kind 

T[-^M  :  A 

Th:A^B:K 
r  hs  if  =  L  :  kind 


S  is  a  valid  signature 
r  is  a  valid  context 

M  has  type  A 
A  has  type  K 
if  is  a  valid  kind 

M  equals  N  at  type  A 
A  equals  B  at  kind  if 
if  equals  L 


For  the  judgment  K:  F  ctx  we  presuppose  that  S  is  a  valid  signature.  For  the  remaining 
judgments  of  the  form  F  hs  J  we  presuppose  that  E  is  a  valid  signature  and  that  F  is  valid  in  E. 
For  the  sake  of  brevity  we  omit  the  signature  E  from  all  judgments  but  the  first,  since  it  does  not 
change  throughout  a  derivation. 

If  J  is  a  typing  or  equality  judgment,  then  we  write  J[a]  for  the  obvious  substitution  of  J  by 
a.  For  example,  if  J  is  M  :  yl,  then  J[a]  stands  for  the  judgment  M[a]  :  A[(t]. 


2.4  Typing  Rules 

Our  formulation  of  the  typing  rules  is  similar  to  the  second  version  given  in  [HHP93].  In  preparation 
for  the  various  algorithms  we  presuppose  and  inductively  preserve  the  validity  of  contexts  involved 
in  the  judgments,  instead  of  checking  these  properties  at  the  leaves.  This  is  a  matter  of  expediency 
rather  than  necessity. 


Signatures 


h  E  sig  •  K  :  kind  h  E  sig  •  A  :  type 

h  »  sig  F  E,  a:K  sig  h  E,  c:A  sig 

Fi'om  now  on  we  fix  a  valid  signature  E  and  omit  it  from  the  judgments. 

Contexts 


f-  F  ctx  F  h  ^  :  type 
h  F  ctx  F  F,  x:A  ctx 

Prom  now  on  we  presuppose  that  all  contexts  in  judgments  are  valid,  instead  of  checking  it 
explicitly.  This  means,  for  example,  that  we  have  to  verify  the  validity  of  the  type  labels  in  A- 
abstractions  before  adding  them  to  the  context. 
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Objects 


x:A  in  F  c:A  in  S 

T\-x:A  Fhc:^ 

r  h  Ml  :  Ux:A2.  F  h  Ms  :  A2 


r  h  Ml  M2  :  [M2/x]Ai 

r  h  :  type 

T,x\A\  h  M2  :  A2 

r  h  Xx:Ai. 

M2  :  Ilx:Ai.  A2 

T\-M:A 

V\-  A  =  B  ■.  type 

FhM:5 


Families 

a:K  in  S  Th  A:  Ux:B.  K  T  \- M  :  B 

T\-a  :K  Th  AM  :[M/x]K 

F  h  :  type  T^x:Ai  h  A2  :  type 
F  H  Ux:Ai.  A2  :  type 
T\-  A:  K  Th  K  =  L:  kind 
T\-A:L 


Kinds 


F  I-  ^4  :  type  F,  x:A  h  K  :  kind 
F  h  type  :  kind  F  h  Tlx:A.  K  :  kind 

2.5  Definitional  Equality 

The  rules  for  definitional  equality  are  written  with  the  presupposition  that  a  valid  signature  S  is 
fixed  and  that  all  contexts  F  are  valid.  The  intent  is  that  equality  implies  validity  of  the  objects, 
families,  or  kinds  involved  (see  Lemma  7).  In  contrast  to  the  original  formulation  in  [HHP93], 
equality  is  based  on  a  notion  of  parallel  conversion  plus  extensionality,  rather  then  /??7“Conversion. 
We  believe  this  is  a  robust  foundation,  easily  transferred  to  richer  and  more  complicated  type 
theories.  Parallel  conversion  allows  the  equality  judgment  to  be  relatively  independent  from  the 
typing  judgment,  thereby  simplifying  the  completeness  proof  of  our  algorithm.  It  does  not  otherwise 
appear  to  be  essential.  The  use  of  extensionality  on  the  other  hand  is  central. 

Characteristically  for  parallel  conversion,  reflexivity  is  admissible  (Lemma  2)  which  significantly 
simplifies  the  completeness  proof  for  the  algorithm  to  check  equality.  We  enclose  the  admissible 
rules  are  in  [brackets].  Some  of  the  typing  premises  in  the  rules  are  redundant,  but  for  technical 
reasons  we  cannot  prove  this  until  validity  has  been  established.  Such  premises  are  enclosed  in 
{braces}.  Alternatively,  it  may  be  sufficient  to  check  validity  of  the  contexts  at  the  leaves  of  the 
derivations  (the  cases  for  variables  and  constants),  a  technique  used  both  in  the  original  presentation 
of  LF  [HHP93]  and  Pure  Type  Systems  [Bar92]. 
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Simultaneous  Congruence 


x:A  in  F  c:A  in  E 

r  h  X  =  X  :  A  r  h  c  =  c  :  A 

rh  Mi=Ni:  Ux:A2.  Ai  T  \-  M2  =  N2  :  A2 
T\-  Mi  M2  =  N1N2  :  [M2/x]Ai 

r  h  a;  =  ^1  :  typo  r  h  A'I  =  Ai  typo  r,  x:Ai  \-  M2  =  N2  :  A2 
r  h  Xx-.A'^.  M2  =  Xx-.A'l-  N2  :  n.T;yli.  A2 

Extensionality 

rh>li:type  {F  h  M  :  n.7;:^] .  ^2}  {F  h  iV  :  n.T:^i .  ^2}  r,x:Ai  h  M  x  =  N  x  :  A2 

r  h  M  =  N  :  nx:Ai.  A2 


Parallel  Conversion 

{F  h  >li  :  type}  F,  x:Ai  h  M2  ^  N2  :  A2  Fh  Mi  ^  Ni  :  At 


F  H  (A,'c:yli.  M2}  Mi  =  [Ni/x]N2  :  [Milx]A2 


Equivalence 

F  h  M  =  jV  :  ^  FhM  =  iV:yl  FhiV  =  0:yl 

TFN  ^M  :A  T\-  M  =  0:A 

■  TFM:A  - 
T\-  M  =  M  -.A 


Type  Conversion 


FhM  =  iV:^  r\-  A  =  B  :  typo 
r\-M  =  N  -.B 


Family  Congruence 


a-.K  in  S 
rha  =  a:K 


rhA  =  B:  n.r:C.  K  F  \-  M  =  N  :  C 
F  H  AM  =  BN  :  [M/x]K 

F  F  Ai  =  B\  :  type  {F  h  2I1  :  type)  F,  xiAi  F  A2  =  B2  :  typo 
F  F  n.xryl].  A2  =  B2  :  typo 
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Family  Equivalence 


A=-B-.K  A  =  B:K  V^B  =  C:K 

V\-B  =  A:K  ThA  =  C-.K 

■  TbA:K  ■ 

Th  A  =  A:K 


Kind  Conversion 


T\-A  =  B:K  T\-K  =  L:  kind 
T\-A  =  B:L 


Kind  Congruence 


r  h  type  =  type  ;  kind 

T  ]-  A  =  B  :  type  {F  h  ^  :  type}  F,  x:A  \-  K  —  L  :  kind 
F  H  Jlx-.A.  K  =  Bx-.B.  L  :  kind 


Kind  Equivalence 

F  h  K  =  £  :  kind  F  h  K  =  £  :  kind  F  h  £  =  £'  :  kind 

F  h  £  =  K  :  kind  F  h  K  =  £'  :  kind 

■  F  h  K  :  kind  ' 

VhK^K:  kind 

2.6  Elementary  Properties  of  Typing  and  Definitional  Equality 

We  establish  some  elementary  properties  of  the  judgments  pertaining  to  the  interpretation  of  con¬ 
texts.  There  is  an  alternative  route  to  these  properties  by  first  introducing  a  notion  of  substitution 
and  well-typed  substitution. 

First  we  establish  weakening  for  all  judgments  of  the  type  theory.  We  use  J  to  stand  for  any  of 
the  relevant  judgments  of  the  type  theory  in  order  to  avoid  repetitive  statements.  We  extend  the 
notation  of  substitution  to  all  judgments  of  the  type  theory  in  the  obvious  way.  For  example,  if  J 
is  N  :  B  then  [M/x]J  is  [M/x]N  :  [M/x]B. 

Lemma  1  (Weakening)  If  F,  F'  h  J  then  F,  x:A,  F'  h  J. 

Proof:  By  straightforward  induction  over  the  structure  of  the  given  derivation.  □ 

Note  that  exchange  for  independent  hypotheses  and  contraction  are  also  admissible,  but  we 
elide  the  statement  of  these  properties  here  since  they  are  not  needed  for  the  results  in  this  paper. 
Next  we  show  that  refiexivity  is  admissible. 

Lemma  2  (Refiexivity) 

1.  IfT\-M-.A  then  F  F  M  =  M  :  A. 
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IfT\-  A:K  then  ThA^AiK. 

3.  IfVh  K:  kind  then  V  \-  K  ^  K  :  kind. 

Proof:  By  induction  over  the  structure  of  the  given  derivations.  In  each  case  the  result  follows 
immediately  from  the  available  induction  hypotheses. 

□ 


Next  we  prove  the  central  substitution  property. 

Lemma  3  (Substitution  Property  for  Typing  and  Definitional  Equality) 

Assume  r,.7;:A,  F'  is  a  valid  context.  IfT\-M:A  and  r,x:A,T'  h  J  then  F,  [M/.7;]F'  b  [M/rrjJ. 

Proof:  By  straightforward  inductions  over  the  structure  of  the  given  derivations.  □ 

The  next  lemma  applies  in  a  number  of  the  proofs  in  the  remainder  of  this  section. 

Lemma  4  (Context  Conversion)  Assume  V,x\A  is  a  valid  context  and  T  \-  B  :  type. 

If  F,  x:A  f“  J  and  T  \-  A  ~  B  :  type  then  F,  x:B  b  J. 


Proof:  Direct,  taking  advantage  of  the  weakening  and  substitution. 


F,7::5  \-  X  :  B 
T  B  =  A  :  type 
F,  x:B  \-  X  :  A 
T^x/:A  b  [x//x]J 
r^x:B.)X^:A  b  [x//x]J 
r^x:B  b  [x / x'][x/ / x]J 
T,x:B\~  J 


By  rule  (variable) 
By  symmetry  from  assumption 
By  rule  (type  conversion) 
By  renaming  from  assumption 
By  weakening 
By  substitution  property 
By  definition  of  substitution 


□ 


Besides  substitution,  we  require  functionality  for  the  typing  judgments.  Note  that  a  stronger 
version  of  functionality  for  equality  judgments  must  be  postponed  until  validity  (Lemma  7)  has 
been  proven.  We  state  this  in  a  slightly  more  general  form  than  required  below  in  order  to  prove 
it  inductively. 

Lemma  5  (Functionality  for  Typing)  Assume  T.xiA.T^  is  a  valid  context  T  \-  M  =  N  :  A, 
Th  M  :  A,  andr\-  N  :  A. 

L  IfT,x:A,r  h  P:B  then  F,  [M/x]^  b  [M/x]P  =  [N/x]P  :  [M/x]B. 

2.  Ifr,x:AX  \-  B:K  then  F,  [M/x]r  b  [M/x]B  =  [N/x]B  :  [M/x]K. 

3.  IfT,x:A,r  b  K  :  kind  then  F,  [M/x]r'  b  [M/x]K  =  [N/x]K  :  kind. 

Proof:  By  a  straightforward  induction  on  the  given  derivation  D  in  each  case.  We  show  some 
representative  cases. 

Case: 


r,x:A,r'\-x:A 
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r[-M  =  N:A 
r,  [M/x]T'  \-M  =  N:  A 


Assumption 
By  weakening 


Case: 

y:B  in  F  or  F' 

V=  - ^ - 

r,x:A,T’ \-y.  B 


y:B  in  F  or  y:[M/x]B  in  [M/x]T'  By  definition  of  substitution 

F,  [M/x]T'  \-y  =  y:  [M/x]B  By  rule 

Case: 

T>i 

2)  =  F,  x:A,  F'  h  Pi  :  ny:P2-  F,  x:A,  F'  h  P2  ;  P2 

F,rr:A,F'hPiP2:  [P2/y]Pi 

F,  [M/x]r  h  [M/x]Pi  =  [N/x]Pi  :  ny:[M/a:]P2-  [M/x]Bi  By  i.h.  on  Vi 

F,  [M/x]r'  h  [M/a;]P2  =  [N/x]P2  :  [M/a;]P2  By  i.h.  on  V2 

F,  [M/x]r  h  i[M/x]Pi)  {[M/x]P2)  =  {[N/x]Pi)  {[N/x]P2)  :  [([M/a:]P2)/y]([M/a:]Pi)  By  rule 
F,  [M/x]r'  I-  [M/a;](Pi  P2)  =  [Ar/x](Pi  P2)  :  [M/a:]([P2/y]Pi)  By  properties  of  substitution 

Case: 

Vi  V2 

F,a;;A,F'l-Pi  ;type  F,  3;:A,  F',  y:Pi  h  P2  :  P2 

V^x:A,T'  h  Xy.Bi-  P2  :  IlyiPi.  B2 


F,  [M/x]T'  f-  [M/x]Bi  —  [iV/a;]Bi  :  type  By  i.h.  on  X>i 

F,  [M/x]r,  y:[M/x]Bi  h  [M^]P2  =  [N/x]P2  :  [M/x]B2  By  i.h.  on  V2 

F,  [M/x]r  t-  [M/x]Bi  :  type  By  substitution  property 

F,  [M/a:]F  h  [M/a;]Pi  =  [M/x]Bi  :  type  By  reflexivity 

F,  [M/x]r  h  [N/x]Bi  =  [M/x]B-i  :  type  By  symmetry 

F,  [M/x]r  h  Ay:[M/a:]Pi.  P2  =  Ay:[iV/x]Bi.  [Ar/a:]P2  :  ny:[M/a;]Pi.  [M/x]B2  By  rule 


Case: 


Pi  P2 

F,a;:A,F'h-P:C  F,  F' b  C  =  P  :  type 

F,a;:A,F'  hP  :  B 

F,  [M/x]r'  h  [M/x]P  =  [N/x]P  :  [M/x]C  By  i.h.  on  Pi 

F,  [M/x]r'  h  [M/x]C  =  [M/x]B  :  type  By  substitution  property 

F,  [M/x]r'  h  [M/x]P  =  [N/x]P  :  [M/x]B  By  rule  (type  conversion) 

□ 

We  have  to  postpone  the  general  inversion  properties  until  validity  (Lemma  7)  has  been  proven. 
However,  we  need  the  simpler  property  of  inversion  on  products  in  order  to  prove  validity. 
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Lemma  6  (Inversion  on  Products) 

1.  If  r  \-  Y[x:A\.  A2  :  K  then  F  H  yl]  :  type,  and  T^x-.A\  h  yl2  :  type. 

2.  If  V  Ilx-.A.  K  :  kind  then  F  h  .4  :  type  and  F,  x-.A  f-  K  :  kind. 

Proof:  Part  (1)  follows  by  induction  on  the  given  derivation  since  it  is  stated  for  general  kinds  K. 
Part  (2)  is  immediate  by  inversion.  □ 

Now  we  have  the  necessary  properties  to  prove  the  critical  validity  property.  Recall  our  general 
assumption  that  all  signatures  are  valid. 

Lemma  7  (Validity)  Assume  F  is  a.  valid  context. 

1.  IfT\-M:A  then  F  h  ^  ;  type. 

2.  Ifr\-  M  =  N  :  A,  then  T  \- M  :  A,  T  N  :  A,  and  F  h  A  :  type. 

3.  Ifr\- A:  K,  then  T  \- K  :  kind. 

4.  IfrhA  =  B-.K,  then  F  \- A  :  K ,  T  \- B  :  K ,  and  T  K  :  kind. 

5.  //  F  h  iF  =  L  :  kind,  then  F  h  iF  :  kind  and  FPL:  kind. 


Proof:  By  a  straightforward  simultaneous  induction  on  derivations.  Functionality  for  typing 
(Lemma  5)  is  required  to  handle  the  case  of  applications.  The  typing  premises  on  the  ruk?  of 
extensionality  ensure  that  strengthening  is  not  required. 

Case: 

£2 

F  h  Ml  =  :  Fix-.A-i.  Ai  F  \-  M2  =  N2  :  A2 

F  h  Ml  M2  =  7Vi  V2  :  [M2/.x]4i 


F  h  Ml  :  nx:A2.  Ai 
F  h  iVi  :  nx:A2.  Ai 
F  h  IIx:A2.  Ai  :  type 
F  h  M2  :  ^2 
F  h  ^2  :  A2 
F  h  ^2 : type 
F,  x:A2  P  Ai  :  type 
F  P  [M2/a;]4i  :  type 
F  P  Ml  M2  :  [M2/:r]yli 
F  P  iVi  iV2  :  [N2/x]Ai 

F  P  [M2/3;]yli  =  [7V'2/j;]yli  :  type 
F  P  Vi  iV2  :  [M2/a;]4i 


By  i.h.  on  £] 

By  i.li.  on  £2 
By  inversion  on  products  (Lemma  6 
By  substitution  proi)erty 
By  rule 
By  rule 

By  functionality  (Lemma  5) 
By  symmetry  and  type  conversion 


□ 

With  the  central  validity  property,  we  can  show  a  few  other  syntactic  results.  The  first  of  these 
is  that  functionality  holds  even  for  the  equality  judgments.  Since  this  can  be  proven  directly,  we 
state  it  in  the  more  restricted  form  in  which  it  is  needed  subsequently. 
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Lemma  8  (Functionality  for  Equality)  Assume  F,  x:A  is  a  valid  context  and  T  \-  M  =  N  :  A. 
L  IfT,x:A^O  =  P:B  then  T  h  [M/x]0  -  [N/x]P  :  [M/x]B. 

2.  Ifr,x:AhB  =  C:K  then  F  h  [M/x]B  =  [N/x]C  :  [M/x]K, 

3,  IfV,x\A\-K  =  L:  kind  then  F  h  [M/x]K  =  [N/x]L  :  kind. 


Proof:  Direct,  using  validity,  substitution,  and  functionality  for  typing.  We  show  only  the  proof 
of  part  (1). 


T,x:A\-0  =  P:B 
ThM  =  N  :A 
T^M  :A 
r\-N  :A 

F  h  [M/x]0  =  [M/x]P  :  [M/x]B 
T,x:AhP:B 

F  h  [M/x]P  =  [N/x]P  :  [M/x]B 
F  h  [M/x]0  =  [N/x]P  :  [M/x]B 


Assumption 
Assumption 
By  validity 
By  validity 
By  substitution 
By  validity 

By  functionality  for  typing  (Lemma  5) 
By  rule  (transitivity) 


At  the  level  of  objects  it  is  also  possible  to  derive  functionality  as  follows  by  introducing  A- 
abstractions,  applications,  and  parallel  conversion.  However,  this  is  not  possible  at  the  level  of 
families,  since  there  is  no  corresponding  A^abstraction.  □ 


The  second  consequence  of  validity  is  a  collection  of  inversion  properties  which  generalize  in¬ 
version  of  products  (Lemma  6). 


Lemma  9  (Typing  Inversion) 

1.  IfVhxiA  then  x:B  in  F  and  F  h  A  =  B  :  type  for  some  B. 

2.  //  F  h  c  :  A  then  c:B  in  F  and  F  A  =  B  :  type  for  some  B. 

3.  //  F  h  Ml  Ms  :  A  then  F  h  Mi  :  HajiAs.  Ai,  F  h  Ms  :  As  and  F  h  [Ms/rrjAi  =  A  :  type  for 
some  Ai  and  As. 

4*  //  F  h  Aa;:A.  M  :  B,  then  F  \-  B  =  na;:A.  A'  :  type,  F  h  A  :  type,  and  F,  x:A  h  M  :  A'. 

5.  //  F  h  na;:Ai.  As  :  K  then  F  \-  K  =  type  :  kind,  F  h  Ai  :  type  and  F,  x:A\  h  As  :  type. 

6.  IfF\~a:K,  then  a:L  in  S  and  F  \-  K  L  :  kind  for  some  L. 

7.  //F  h  AM  :  AT,  then  F  h  A  :  Ho^iAi.  iFs,  F  H  M  :  Ai,  andF\-K^  [M/x]K2  :  kind. 

8.  //  F  h  Flx:Ai.  iFs  •  kind,  then  F  h  Ai  :  type  and  r,rr:Ai  h  iFs  :  kind. 


Proof:  By  a  straightforward  induction  on  typing  derivations.  Validity  is  needed  in  most  cases  in 
order  to  apply  reflexivity.  □ 

We  can  now  show  that  some  of  the  typing  premises  in  the  inference  rules  are  redundant. 

Lemma  10  (Redundancy  of  Typing  Premises)  The  indicated  typing  premises  in  the  rules  of 
parallel  conversion ^  family  congruence,  and  type  congruence  are  redundant. 
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Proof:  Straightforward  from  validity.  □ 

Lemma  11  (Equality  Inversion)  Assume  T  is  a  valid  context. 

1.  Ifr\-K  =  type  :  kind  or  T  h  type  =  K  :  kind  then  K  =  type. 

2.  Ifr\-K  =  Ux’.Bi.  L2  :  kind  or  F  h  Ylx/.Bi.  L2  —  K  :  kind  then  K  ~  Ux:Ai.  K2  such  that 

r  \-  Ai  =  Bi  :  type  and  F,  x:A[  h  K2  =  L2  :  kind. 

3.  IfT[-A~  Ilx:B\.  B2  :  type  or  F  h  Ilx:B[.  B2  —  A  :  type  then  A  =  Ilx:A\.  A2  for  som.e  A\ 

and  A2  such  that  T  \r  Ai  ~  Bi  :  type  arid  F,.7::i4]  \-  A2  =  B2  :  type. 


Proof:  By  induction  on  the  given  equality  derivations.  There  are  some  subtle  points  in  the  proof 
of  part  3,  so  we  show  two  cases.  Note  that  adding  a  family-level  A  would  prevent  proving  this  result 
at  such  an  early  stage. 

Case: 


£i  £1 

Th  A  =  C:  type  F  h  C  ^  Ux:B^ .  B2  :  type 


F  h  ^4  =  Ilx:B] .  B2  :  type 


C  =  UxiCi,  C2  for  some  C\  and  C2  such  that 

T  \-  C\  =  Bi  \  type  and 

V.x'.Ci  H  C2  =  ^2  :  type 

A  =  Ux.Ai.  A2  for  some  Ai  and  A2  such  that 

F  h  —  (7]  :  type  and 

F,  x:Ai  \-  A2  —  C2  •  type 

r  \-  Ai  ~  Bi  :  type 

r,x:Ai  h  C2  =  B2  :  type 

V^x\Ai  h  A2  =  ^2  :  type 


By  i.h.  (3)  on  £2 


By  i.h.  (3)  on  £\ 
By  rule  (transitivity) 
By  context  conversion  (Lemma  4) 
By  rule  (transitivity) 


Case: 


£i  £2 

£  ^  F  h  ^4  —  n.T:J5] .  B2  :  K  T  K  =  type  :  kind 

r  A  =  Ilx:B\.  B2  :  type 


K  =  type  By  i.h.  (1)  on  £2 

A  =  lix'.Ai.  A2  for  some  A\  and  A2  such  that 
r  \-  Ai  =  Bi  :  type  and 

T,x:A^  \-  A2  —  B2  :  type  By  i.h.  (3)  on  £{ 

□ 


Lemma  12  (Injectivity  of  Products) 

1.  If  r  \-  Ilx:Ai.  A2  =  Ilx:B[.  B2  :  type  then  T  \-  Ai  ~  Bi  :  type  and  F,  \-  A2  ^  B2  type. 

2.  J/F  h  Ilx:Ai.  K2  —  Ilx:B].  L2  :  kind  then  T  \-  Ai  =  Bi  :  type  and  r.,x:Ai  h  /F2  =  ^2  •  kind. 

Proof:  Immediate  by  equality  inversion  (Lemma  11).  □ 
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3  Algorithmic  Equality 

The  algorithm  for  deciding  equality  can  be  summarized  as  follows: 

1.  When  comparing  objects  at  function  type,  apply  extensionality. 

2.  When  comparing  objects  at  base  type,  reduce  both  sides  to  weak  head-normal  form  and  then 
compare  heads  directly  and,  if  they  are  equal,  each  corresponding  pair  of  arguments  according 
to  their  type. 

Since  this  algorithm  is  type-directed  in  case  (1)  we  need  to  carry  types.  Unfortunately,  this  makes 
it  difficult  to  prove  correctness  of  the  algorithm  in  the  presence  of  dependent  types,  because  tran¬ 
sitivity  is  not  an  obvious  property.  The  informal  description  above  already  contains  a  clue  to  the 
solution:  we  do  not  need  to  know  the  precise  type  of  the  objects  we  are  comparing,  as  long  as  we 
know  that  they  are  functions. 

We  therefore  define  a  calculus  of  simple  types  and  an  erasure  function  ()“  that  eliminates 
dependencies  for  the  purpose  of  this  algorithm.  The  same  idea  is  used  later  in  the  definition  of  the 
Kripke  logical  relation  to  prove  completeness  of  the  algorithm. 

We  write  a  to  stands  for  simple  base  types  and  we  have  two  special  type  constants,  type"  and 
kind”,  for  the  equality  judgments  at  the  level  of  types  and  kinds. 


Simple  Kinds 

K 

type”  1  r  K 

Simple  Types 

r 

::=  a  Ti  — r2 

Simple  Contexts 

A 

::=  •  1  A,x:r 

We  use  r,  0, 6  for  simple  types  and  A,  0  for  contexts  declaring  simple  types  for  variables.  We 
also  use  kind”  in  a  similar  role  to  kind  in  the  LF  type  theory. 

We  write  A~  for  the  simple  type  that  results  from  erasing  dependencies  in  and  similarly  K~ . 
We  translate  each  constant  type  family  a  to  a  base  type  a~  and  extend  this  to  all  type  families. 
We  extend  it  further  to  contexts  by  applying  it  to  each  declaration. 


(a)- 

=  a 

(AM)- 

=  A- 

=  Aj^  A2 

(type)“ 

=  type- 

{Jlx-.A.  K)- 

=  A-  -^K- 

(kind)“ 

/  \  — 

=  kind” 

1 

=  V~  ,x-.A~ 

We  need  the  property  that  the  erasure  of  a  type  or  kind  remains  invariant  under  equality  and 
substitution. 

Lemma  13  (Erasure  Preservation) 


1.  IfT\-A  =  B:K  thenA-  =  B-. 

2.  Ifr^K  =  L  :  kind  then  R-  =  L“. 
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3.  IfT,x:A  ^  B:K  then  =  [M/x]B-. 

I  Ifr,x:A  h  K  :  kind  then  K"  =  [M/x]K-, 


Proof:  By  induction  over  the  structure  of  the  given  derivations.  □ 

We  now  present  the  algorithm  in  the  form  of  three  judgments. 

M  M'  {M  weak  head  reduces  to  M')  Algorithmically,  we  assume  M  is  given  and  compute  M' 
(if  M  is  head  reducible)  or  fail. 

A  h  M  N  :  T  (M  is  equal  to  N  at  simple  type  r)  Algorithmically,  we  assume  A,  M,  AT,  and  r 
are  given  and  we  simply  succeed  or  fail.  We  only  apply  this  judgment  if  M  and  N  have  th(^ 
same  type  A  and  r  = 

A  h  M  i — >  N  :  r  (M  is  structurally  equal  to  N)  Algorithmically,  we  assume  that  A,  M  and  N 
are  given  and  we  compute  r  or  fail.  If  successful,  r  will  be  the  approximate  type  of  M  and 
N. 

Note  that  the  structural  and  type-directed  equality  are  mutually  recursive,  while  weak  head  reduc¬ 
tion  does  not  depend  on  the  other  two  judgments. 

Weak  Head  Reduction 


{Xx:Ai.  M2)  Ml  ^  [Mi/x]M2 


Ml  ^  M[ 

Ml  M2  ^  M'l  M2 


Type-Directed  Object  Equality 

M^  M'  AhM'<^A^:Q 
A  h  Af  N  :  a 
A  h  M  — >  N  :  a 
A  h  M  4=^  N  :  a 


N'^N'  Ab  M  ^  N'  :a 
A  h  Af  N  :  a 
A,x:ri  M  X  N  x  :  T2 

A  h  Af  j\r  ;  ^2 


Structural  Object  Equality 

x:r  in  A  c:A  in  S 

Aha:  < — X  :  T  A  h  c  < — >  c  :  A~ 

A  h  Afi  < — >  Ni  :  T2  Ti  Ah  M2  N2  :  T2 

A  h  Afi  Af2  < — ^  N\  N2  :  Ti 

We  mirror  these  judgments  at  the  level  of  families.  Due  to  the  absence  of  A-abstraction  at  this 
level,  the  kind-directed  and  structural  equality  are  rather  close.  However,  in  the  later  development 
and  specifically  the  proof  that  logically  related  terms  are  algorithmically  equal  (Theorem  19),  the 
distinction  is  still  convenient. 
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Kind-Directed  Family  Equality 

A  h  A  < — >  B  :  type”  A, x:t  Ax  B x  :  k 

A\-  A  B  :  type”  A\-  A  B  :  t  ^  k 

A  h  Bi  :  type”  A,  x:A^  h  A2  B2  :  type” 

A  t-  na;:j4i.  A2  <=^  lixiBi-  B2  •  type” 

Structural  Family  Equality 

a:K  in  S  A  h  A  < — B  :  t  k  A\-  M  N  :  t 

Aha  < — >  a  :  K~  A  h  AM  < — >■  AN  :  k 

Algorithmic  Kind  Equality 

A  h  A  B  :  type”  A,  x:A~  h  K  -^==i>-  L  :  kind” 

A  h  type  type  :  kind”  A  h  Bx-.A.  K  ■^=>  Ilx:B.  L  :  kind” 

The  algorithmic  equality  satisfies  some  straightforward  structural  properties.  Weakening  is 
required  in  the  proof  of  its  correctness.  It  does  not  appear  that  exchange,  contraction,  or  strength¬ 
ening  are  needed  in  our  particular  argument,  but  these  properties  can  all  be  easily  proven.  Note  that 
versions  of  the  logical  relations  proofs  nonetheless  apply  in  the  linear,  strict,  and  affine  A-calculi. 

Lemma  14  (Structural  Properties  of  Algorithmic  Equality) 

For  each  algorithmic  equality  judgment  J  the  following  hold: 

1.  [Exchange]  If  A^xi:Ti,X2:r2,  A'  h  J  then  A,X2:t2,xi:ti,  A'  h  J. 

2.  (Weakening)  If  A,  A'  h  J  then  A,  x:t,  A'  h  J. 

3.  [Contraction]  If  A,xi:t,X2:t,A'  h  J  then  A,x:t,A'  h  [x / x\\[x j X2]J ■ 

4-  [Strengthening]  If  A,  x:t,  A'  h  J  and  x  ^  FF(J),  then  A,  A'  h  J. 

Proof:  By  straightforward  inductions  over  the  structure  of  the  given  derivations.  □ 

The  algorithm  is  essentially  deterministic  in  the  sense  that  when  comparing  terms  at  base  type 
we  have  to  weakly  head-normalize  both  sides  and  compare  the  results  structurally.  This  is  because 
terms  that  are  weakly  head  reducible  will  never  be  considered  structurally  equal. 

Lemma  15  (Determinacy  of  Algorithmic  Equality) 

1.  IfM^  M'  and  M  ^  M"  then  M'  =  M". 

2.  If  A  \-  M  i — )■  N  :  T  then  there  is  no  M'  such  that  M  M' . 

3.  If  A  \-  M  < — >  N  :  T  then  there  is  no  N'  such  that  N  N'. 

4-  If  A\-  M  i — >  N  :  T  and  A  f-  M  < — >  N  :  r'  then  t  =  r'. 

5.  If  A\-  A  < — y  B  :  k  and  AHA  < — y  B  :  k'  then  k  =  k'. 
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Proof:  The  first  part  and  parts  (4)  and  (5)  are  immediate  by  structural  induction.  We  only  show 
the  second  part,  since  the  third  part  is  symmetric.  Assume 

Ah  M  ^  N:t  and  M  ^  M' 

for  some  M'.  We  now  show  by  simultaneous  induction  over  S  and  W  that  these  assumptions  are 
contradictory.  Whenever  we  have  constructed  a  judgment  such  there  is  no  rule  that  could  conclude 
this  judgment,  we  say  we  obtain  a  contradiction  by  inversion. 

Case: 

x:r  in  A 

<5=  TT - 

A  h  .T  < — >  X  :  T 


whr  , 

X  - M' 

Contradiction 


Assumption  (W) 
By  inv(U’sion 


Case:  Structural  equality  of  constants  is  impossible  as  in  the  case  for  variables. 
Case: 

T2 

^  _  A  1“  Ml  < — >  Ni  :  T2  Ti  A  b  M2  N2  '  T2 

A  h  Ml  M2  ^  7V2  :  Ti 

Here  we  distinguish  two  subcases  for  the  derivation  W  of  M\  M2  M'. 

Subcase: 


^ - 

{\x:Ai.  M[)M2  ^  [M2/.t]Mi' 


Ml  =  {Xx:Ai,  M') 

A  h  Ml  < — >  Ni  :  r2  ^  ri 
Contradiction 

Subcase: 


Assumption 
Assumption  {S{) 
By  inversion 


Ml 


Wi 

^M[ 


Ml  M2 


whr 


Mi'M2 


A  h  Ml  < — >  A'l  :  r2  ->  ti 

Contradiction 

□ 


Assumption  («Sj ) 
By  ind.  hyp.  on  W\  and  S\ 
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The  completeness  proof  requires  symmetry  and  transitivity  of  the  algorithm.  This  would  intro¬ 
duce  some  difficulty  if  the  algorithm  employed  precise  instead  of  approximate  types.  This  is  one 
reason  why  both  the  algorithm  and  later  the  logical  relation  are  defined  using  approximate  types 
only. 

Lemma  16  (Symmetry  of  Algorithmic  Equality) 

1.  If  A\-  M  N  :  r  then  A\-  N  M  :  r. 

2.  // A  h  M  ^  iV  :  r  then  Ah  N  ^  M  :r, 

3.  If  A\-  A  4=^  B  :  K  then  Ah  B  A  :  k. 

4.  If  Ah  A  < — >  B  :  K  then  Ah  B  < — >  A  :  k. 

5.  If  Ah  K<=^L:  kind”  then  Ah  L^K  :  kind”. 

Proof:  By  simultaneous  induction  on  the  given  derivations.  □ 

Lemma  17  (Transitivity  of  Algorithmic  Equality) 

1.  If  Ah  M  4=>  N  :  T  and  Ah  N  <==>  O  :  r  then  A  h  M  O  :  r. 

2.  If  Ah  M  < — >  N  :  r  and  Ah  N  < — O  :  r  then  Ah  M  i — >  O  :  r. 

3.  If  Ah  A  B  :  K,  and  Ah  B  C  :  k  then  Ah  A  C  :  k. 

4.  If  Ah  A  i — >  B  :  K  and  Ah  B  < — >  C  :  k.  then  Ah  A  < — >  C  :  n. 

5.  If  Ah  K  L  :  kind”  and  Ah  L  V  :  kind"  then  A  h  if  L'  :  kind". 

Proof:  By  simultaneous  inductions  on  the  structure  of  the  given  derivations.  In  each  case,  we  may 
appeal  to  the  induction  hypothesis  if  one  of  the  two  derivations  is  strictly  smaller,  while  the  other 
is  either  smaller  or  the  same.  The  proof  requires  determinacy  (Lemma  15),  We  only  show  some 
cases  in  the  proof  of  property  (1);  others  are  direct.  Assume  we  are  given 

Tl  Tr 

A  h  M  N  :  T  and  Ah  N  <==>  O  :  r 

We  have  to  construct  a  derivation  of  A  h  M  O  :  r.  We  distinguish  cases  for  Tl  and  Tr.  In 
case  one  of  them  is  the  extensionality  rule,  the  other  must  be,  too,  and  the  result  follows  easily 
from  the  induction  hypothesis.  We  show  the  remaining  cases. 

Case: 

u 

M^M'  A\-  M'  ^  N  :a 

AhM  N  :  a 


where  Tr  is  arbitrary. 


A  h  M'  O  :  a 
AhM  O  :  a 
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By  ind.  hyp.  (1)  on  7^  and  Tr 
By  rule  (whr  left) 


Case: 


Tr 


_  0^0' 


T' 

^  R 

A  h  O'  :  a 


A  h  O  :  a 


where  Tl  arbitrary. 

A  h  M  O'  :  q: 
A  h  Af  ^^=1^  O  :  Of 


By  iiid.  hyp.  (1)  on  7/,  and  Th 
By  rule  (whr  right) 


Case: 


72  =  iV  ^  AT'  A\-  M  N'  :a  ^nd  T/?  =  ^  A\-  N"  ^0:a 


n 


ATff 


T' 

hi 


A  h  A7  A^  :  Of 


A^'  =  AT" 

A  h  A7  O  :  Of 


A  h  A^  O  :  a 

By  determinacy  of  weak  head  reduction  (Lemma  15(1)) 

By  ind.  hyp.  (1)  on  7}'  and  7}^. 


Case: 


72^  N^N' 


TL 


Sr 


A\-  M  ^  N'  ■.  a  and  Tr  =  N  -.a 


AY-  M  N  -.a  A\-  N  O  :  a 

This  case  is  impossible  by  determinacy  of  algorithmic  equality  (Lemma  15(2)). 


Case: 


Sl 


72=  A\-  M  ^  N  :a  ^nd  72  =  ^  A^'  A\-  N'  ^0:a 


T' 


AhM^  A^:a 


A  h  A^  O  :  a 


This  case  is  impossible  by  determinacy  of  algorithmic  equality  (Lemma  15(3)). 


Case: 


7L 


A  h  M  ^  N  :  a 
A  h  M  N  :  a 


and  Tr 


Sr 

^  ALA^^O:a 
A  h  A^  Q  ; 


A  h  M  i — >  O  :  a 
A  l-  M  O  :  a 


By  ind.  hyp.  (2)  on  Sr  and  Sr 

By  rule 


□ 


19 


4  Completeness  of  Algorithmic  Equality 

In  this  section  we  develop  the  completeness  theorem  for  the  type-directed  equality  algorithm.  That 
is,  if  two  terms  are  definitionally  equal,  the  algorithm  will  succeed.  The  goal  is  to  present  a  flexible 
and  modular  technique  which  can  be  adapted  easily  to  related  type  theories,  such  as  the  one 
underlying  the  linear  logical  framework  [CP98],  one  based  on  non-commutative  linear  logic  [PP99], 
or  one  including  sub  typing  [Pfe93].  Other  techniques  presented  in  the  literature,  particularly  those 
based  on  a  notion  of  ?7-reduction,  do  not  seem  to  adapt  well  to  these  richer  theories. 

The  central  idea  is  to  proceed  by  an  argument  via  logical  relations  defined  inductively  on  the 
approximate  type  of  an  object,  where  the  approximate  type  arises  from  erasing  all  dependencies  in 
an  LF  type. 

The  completeness  direction  of  the  correctness  proof  for  type-directed  equality  states: 

If  r  h  M  -  iV  :  ^  then  P”  h  M  ^  JV  :  A". 

One  would  like  to  prove  this  by  induction  on  the  structure  of  the  derivation  for  the  given  equality. 
However,  such  a  proof  attempt  fails  at  the  case  for  application.  Instead  we  define  a  logical  relation 
A  I-  M  =  iV  6  [r|  that  provides  a  stronger  induction  hypothesis  so  that  both 

1.  if  r  h  M  -  TV  :  A  then  P"  h  M  =  AT  E  [A"],  and 

2.  if  P"  h  M  -  TV  G  [A”]  then  P"  h  TIP  ^  TV  G  A", 

can  be  proved. 

4.1  A  Kripke  Logical  Relation 

We  define  a  Kripke  logical  relation  inductively  on  simple  types.  At  base  type  we  require  the  property 
we  eventually  would  like  to  prove.  At  higher  types  we  reduce  the  property  to  those  for  simpler 
types.  We  also  extend  it  further  to  include  substitutions,  where  it  is  defined  by  induction  over  the 
structure  of  the  matching  context. 

We  say  that  a  context  A'  extends  A  (written  A'  >  A)  if  A'  contains  all  declarations  in  A  and 
possibly  more. 

1.  A  h  TIP  -  A  G  [a]  iff  A  h  TIP  TV  :  a. 

2.  A  h  TIP  “  TV  G  |ti  T2]  iff  for  every  A'  extending  A  and  for  all  Mi  and  TVi  such  that 

A'  h  TlPi  =  TVi  G  [ri]  we  have  A'  h  TIP  TlPi  =  TV  TVi  G  |t2]. 

3.  A\-  A  =  B  E  [type“]  iff  A  h  A  B  :  type". 

4.  A  h  A  =  S  G  [r  — >  iff  for  every  A'  extending  A  and  for  all  TIP  and  TV  such  that 

A'  h  TIP  -  TV  G  [r]  we  have  A'  h  ATIP  =  BN  E 

5.  A  h  (j  =  0  G  I*]  iff  cr  =  •  and  9  =  •. 

6.  A  \-  a  ~  6  E  [0,a::r]  iff  cr  =  (a^M/x)  and  9  =  {9\N/x)  where  A  E  a'  =  9'  E  |0|  and 
A  H  TIP  =  TV  G  |r]. 

Four  general  structural  properties  of  the  logical  relations  that  we  can  show  directly  by  induction 
are  exchange,  weakening,  contraction,  and  strengthening.  We  will  use  only  weakening. 
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Lemma  18  (Structural  Properties  of  the  Logical  Relations)  For  all  logical  relations  R  the 
following  hold: 

1.  [Exchange]  If  A,  xi'.Ti,  X2'-T2,  A'  h  R.  then  A,X2:t2,x\:ti,A'  h  R. 

2.  (Weakening)  If  A,A'\-R  then  A,  x:t,  A'  1-  R. 

3.  [Contraction]  If  A,Xi:t,X2'-t,  A'  h  R  then  A,x:t,A'  h  [x [ x i\[x [ X2]R. 
f.  [Strengthening]  If  A,x:t,  A'  H  R.  and  x  ^  FF(R),  then  A,  A'  h  R.. 

Proof:  By  induction  on  the  structure  of  the  definition  of  R  (either  simple  type,  kind,  or  context). 
For  contraction  and  strengthening,  it  is  easiest  to  take  advantage  of  weakening  in  the  (;ase  for 
function  types.  We  show  only  the  proof  for  weakening,  that  is,  if  A,  A'  h  M  G  fr]  then  A,  x-.O,  A'  h 
M^Ne  IrJ. 

Case:  t  =  a. 

A,A'  M  =  N  e  [ol 
A,  A'  h  M  <S=^  iV  :  a 
A,a;:0,A'l-M^iV:a 
A,.r:^,A'  h  M  =  G  H 

Case:  r  =  t\  — )■  T2. 

A,  A'  h  M  =  iV  G  Iti  ^  T2I 
A+,a::^,AVFM,  =iVi  G[' 
for  arbitrary  A+  >  A 

A+,a::0,A'^  hMMi  =  Nh 
A,.T:0,A'hM-iVE  |ri  - 

□ 


Assumption 
By  dofiiiitioii  of  |rv] 
By  woak(3ning  (Lemma  14) 
By  definition  of  {a} 


Assumption 

^il 

and  A(|_  >  A'  New  assumption 

By  definition  of  > 

^  1^2]  By  definition  of  [t]  — >  r^]  and  assumption 

>  T2I  By  definition  of  [ri  ->  T2] 


4.2  Logically  Related  Terms  are  Algorithmically  Equal 

It  is  straightforward  to  show  that  logically  related  terms  are  considered  identical  by  the  algorithm. 
This  proof  always  proceeds  by  induction  on  the  structure  of  the  type.  A  small  insight  may  be 
required  to  arrive  at  the  necessary  generalization  of  the  induction  hypothesis.  Here,  this  involves 
the  statement  that  structurally  equal  terms  are  logically  related.  This  has  an  important  consequence 
we  will  need  later  on,  namely  that  variables  and  constants  are  logically  related  to  themselves. 

Theorem  19  (Logically  Related  Terms  are  Algorithmically  Equal) 

Jf.  If  A  \-  M  =  N  elrj  then  A  h  M  A  :  r. 

2.  //  A  h  A  =  B  G  then  Ah  B  :  k.. 

3.  If  Ah  M  ^  N  :r  then  A  b  M  -  A  G  [r]. 

4.  If  Ah  A  i — >  B  :  K  then  A  h  A  =  5  G 
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Proof:  By  simultaneous  induction  on  the  structure  of  r. 
Case:  t  =  a,  part  1. 

A  h  M  =  iV  G  [al 
A  h  M  N  :  a 

Case:  k  =  type",  part  2. 

A\-  A  =  B  e  [type"] 

A  h  J3  B  :  type" 

Case:  r  =  a,  part  3. 

Ah  M  ^  N  :a 
Ah  M  N  :  a 
AhM  =  Nelal 

Case:  n  =  type",  part  4. 

Ah  A  < — >  B  :  type" 

Ah  A  4=^  B  :  type" 

Ah  A  =  B  E  [type"] 

Case:  r  =  ti  ^  T2,  part  1. 

A  h  M  =  TV  E  [ti  ^  rsl 
A,  x:ri  h  X  < — >  x  :  ri 
A,x:ri  h  X  =  X  e  [ti] 

A,  x:ri  h  M  X  N  X  e  [r2] 

A,  x:ri  h  M  X  N  x  \  T2 
Ah  M  TV  :  Ti  r2 

Case:  n  —  t\  ^  ^2,  part  2. 

Ah  A  —  B  eln  ^  1^2} 

A,  x:ri  t-  X  < — >  x  :  ti 
A,  xiTi  h  x  ~  X  E  |ri] 

A,  x:ri  h  Ax  B  X  E  {^2} 

A^xiTi  h  Ax  Bx  :  K2 
Ah  A  J5  :  Ti  ^2 


Case:  r  =  ti  ^  r2,  part  3. 

A  h  TW  < — >  TV  :  Ti  r2 

A+  h  Ml  =  TVi  E  [n]  for  an  arbitrary  A+  >  A 
A-^  h  Ml  TVi  :  Ti 

A^h  M  < — >  TV  :  n  ->  r2 
A+hTlfTlfi  e^NNi  :t2 
A^h  MMi=NNiE[r2j 
AhM  =  NElTi^r2l 


Assumption 
By  definition  of  [a] 


Assumption 
By  definition  of  [type"] 


Assumption 
By  rule 
By  definition  of  [a] 


Assumption 
By  rule 

By  definition  of  [type"] 


Assumption 
By  rule 
By  i.h.  3  on  ri 
By  definition  of  [ri  — T2] 
By  i.h.  1  on  T2 
By  rule 


Assumption 
By  rule 
By  i.h.  3  on  ri 
By  definition  of  [ri  -E  ^2] 
By  i.h.  2  on  ^2 
By  rule 


Assumption 
New  assumption 
By  i.h.  1  on  ri 
By  weakening  (Lemma  14) 
By  rule 
By  i.h.  3  on  T2 
By  definition  of  |ti  T2} 
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Case:  k  =  ri  —>  k,2,  part  4. 

h"  -A  i - ^  B  T\  — )■  ti2 

A_^  h  M]  =  N\  G  |ri]  for  an  arbitrary  A+  >  A 
A-}-  h  Ml  4=^  A^j  :  Ti 
A_|-  h"  A  ^  ^  I  Ti  — y  K>2 

A^\-  A  Ml  < — >  B  Ni  e  K2 
Aj,V-  AMi^  B  Ni  e  IAC2I 
A  h  A  —  B  G  |r]  ^  K2I 


Assumption 
Now  assumption 
By  i.li.  1  on  T[ 
By  weakening  (Lemma  14) 
By  rule 
By  i.h.  4  on  K2 
By  definition  of  [t]  ^  k,2| 

□ 


4.3  Definitionally  Equal  Terms  are  Logically  Related 

The  other  part  of  the  logical  relations  argument  states  that  two  equal  terms  are  logically  related. 
This  requires  a  sequence  of  lemmas  regarding  algorithmic  equality  and  the  logical  relation. 

Lemma  20  (Closure  under  Head  Expansion) 

1.  IfM^  M'  and  A  h  M'  =  iV  €  M  then  A\-  M  =  N  €  [rj. 

2.  //  ^  N'  and  A  h  M  =  iV'  €  IrJ  then  A  H  M  =  iV  G  [tI- 

Proof:  Each  part  follows  by  induction  on  the  structure  of  r.  We  show  only  the  first,  since  the 
second  is  symmetric. 

Case:  r  —  a. 

M^M> 

A  h  M'  =  TV  G  [«] 

A\-  M'  ^  N  :a 
A  h  M  N  :  a 
Ah  M  =  N  ela] 

Case:  r  ~  ri  ^  T2- 

M^M' 

A  h  M'  =  JV  G  [n  T2I 
A+  h  M]  =  A/'i  G  [ri]  for  A+  >  A 
A+  hM'Mi  G  [rs] 

MMi  ^  M'  Ml 
A+  HMMi  =NNi  G  Ir2l 
A  G  M  =  W  G  [ri  r2l 

□ 


Assumption 
Assumption 
New  assumption 
By  definition  of  |ri  — >  T2I 

By  rule 
By  i.h.  on  T2 
By  definition  of  [ri  T2] 


Assumption 
Assumption 
By  definition  of  |rv| 
By  rule  (whr) 
By  definition  of  |oJ 


Lemma  21  (Symmetry  of  the  Logical  Relations) 

1.  7/  A  h  M  =  AT  G  |t]  then  A  h  AT  =  M  G  [rJ. 
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2.  If  A\-  A  =  B  gIk}  then  A\~B  =  A£  |k]. 

3.  //  A  h  a  =  e  e  [01  then  A  h  0  =  cj  G  [01. 

Proof:  By  induction  on  the  structure  of  r,  k,  and  0,  using  Lemma  16.  We  show  some  represen¬ 
tative  cases. 

Case:  t  =  a. 

A\-  M  =  N  elaj 
A  M  4=^  N  :  ex 
A\-  N  <=>  M  :  a 
A  h  iV  =  M  e  [a] 

Case:  t  =  t\  T2. 


A  h  M  =  W  G  [ti  Tsl 

Assumption 

A+  h  Ni  =  Ml  £  [ri|  for  A+  >  A 

New  assumption 

A+  h  Ml  =  G  [ril 

By  i.h.  on  ti 

A+  h  MMi  =  AT  G  [ral 

By  definition  of  |ri  —>  T2I 

A+hNNi  =MMi  £  [T2I 

By  i.h.  on  T2 

A  h  AT  =  M  G  [nl 

By  definition  of  |ti  T2] 

□ 


Lemma  22  (Transitivity  of  the  Logical  Relations) 

1.  If  A\-  M  =  N  £  It}  and  A\-  N  =  O  £  It}  then  A  h  M  =  O  €  [r]. 

If  A\-  A  =  B  £  Ik]  and  A\-  B  ^  C  £  {k}  then  Ah  A  =  C  £{4. 

3.  If  Ah  a  =  6  £  [0]  and  Ah  9  =  6  £  [0|  then  A  h  a  =  5  £  [0] . 

Proof:  By  induction  on  the  structure  of  r,  k,  and  0,  using  Lemma  17.  We  show  some  represen¬ 
tative  cases. 

Case:  t  =  a.  Then  the  properties  follows  from  the  definition  of  [aj  and  the  transitivity  of  type- 
directed  equality  (Lemma  17). 


A  h  M  =  AT  G  H 

Assumption 

A  h  AT  =  0  G  [aj 

Assumption 

A  h  M  N  :  a 

By  definition  of  |a] 

A\~  N  0  :  a 

By  definition  of  |a] 

A  h  M  0  :  a 

By  transitivity  of  type-directed  equality  (Lemma  17) 

A  h  M  =  0  E  [a] 

By  definition  of  [a] 

Case:  r  =  ri  ->•  T2. 


Assumption 
By  definition  of  [a] 
By  symmetry  of  type-directed  equality  (Lemma  16) 

By  definition  of  [a] 
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Ah  M  =  N  eln  ^t2] 

A  f-  =  O  G  [ti  ^  T2I 

A4.  h  Ml  —  Oi  E  [ri|  for  A-^  >  A 

A^hMMi  =  NOi  e  [T2I 

A+  h  0i  =  Ml  €  [nl 

A+  h  Oi  =  Oi  G  In] 

A^h  NOi  =  OOielr2] 
A+hMMi-OOiG[r2l 
A  h  M  -  O  G  |ri  r2] 


Assumption 
Assumption 
New  assumi)tion 
By  definition  of  {n  n] 
By  symmetry  (Lemma  21) 
By  i.li.  on  ri 
By  definition  of  |tj  r2j 
By  idi.  on  T2 
By  definition  of  [rj  72] 

□ 


Lemma  23  (Definitionally  Equal  Terms  are  Logically  Related  under  Substitutions) 

1.  Ifr\-M  =  N:AandA\-a  =  ee  [P-J  then  A  h  M[a]  -  N[9]  G  [A-]. 

2.  ljVhA^B\KandAha  =  e^  [P-J  then  A  h  A[(j]  =  B[e]  G  {K-j, 


Proof:  By  induction  on  the  derivation  V  of  definitional  equality,  using  the  prior  lemmas  in  this 
section.  For  this  argument,  some  siibderivations  of  the  equality  judgment  are  unnecessary  (in 
particular,  those  establishing  the  validity  of  certain  types).  We  elide  those  premises  and  write 
”  instead. 


Case: 


V  = 


x:A  in  P 
r  h  X  =  X  :  A 


A\-a  =  ee  [P“l 

A  h  M  =  W  G  IA~]  for  M /x  in  a  and  N/x  in  9 
A  h  x[a]  =  x[9]  G  IA~] 


By  definition  of  [P  ] 
By  definition  of  substitution 


Case: 


c:A  in  S 
Phc-c:  A 


A  h  c  c  G  |A“| 

A  h  c  =  c  G  [A~] 

A  h  c[a]  =  c[9]  e  {A-j 


By  rule 
By  Theorem  19(3) 
By  definition  of  substitution 


Case: 


Vi 

'j)  —  r  h  Ml  =  Nl  :  IIx:A2.  Ai 


V2 

r  h  Ml  =  iV2  :  ^2 


r  h  Ml  M2  =  iVi  7V2  :  [M2/,t]Ai 


A  h  Ml  [a]  =  iVi[e]  G  1^2  A^j 
A  h  M2H  =  N2[e]  e  lA^l 
A  h  (Mi[a])(M2H)  =  (iVi[^])(lV2[0])  G  [Ajj 
A  h  (Ml  M2) [a]  =  (iVi  N2m  e  Mri 


By  i.h.  on  Vi 
By  i.h.  on  T>2 
By  definition  of  |t2  — >  tiJ 
By  definition  of  substitution 
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Case: 


V2 

r,  x:Ai  H  M2  =  N2  '■  A2 


V  = 

r  h  \x-.A\.  M2  =  \x-.A'{.  N2  :  ^x:A^.  A2 


New  assumption 
By  weakening  (Lemma  18) 
By  definition  of  [A,  x:t} 
By  i.h.  on  1)2 


A+hMi  =  Nie  for  A+  >  A 
A+ha  =  eelT-} 

A+\- {a,Mi/x)  =  {e,Ni/x)  elT  ,x:A-^} 

A+  h  M2[a,Mi/a:]  =  iV2[0, iVi/ar]  G  {A^j 
A+  h  (Axr^i.  M2[(r,x/x])Mi  =  N2[e,Ni/x]  G  {A^j 

By  closure  under  head  expansion  (Lemma  20) 
A+  h  {Xx:A[.  M2[(t,x/x])Mi  =  {Xx:A'(.  N2[e,x/x])Ni  G  {A^} 

By  closure  under  head  expansion  (Lemma  20) 
A+  h  {(Xx:A!-, .  M2)[crl)  Mi  =  ((Xx:A'{.  iV2)[0l)  iVi  G  By  properties  of  substitution 

A  h  Xx:A[.  M2  =  Xx:A!{.  N2  G  {A^  A2}  By  definition  of  |ti  -)■  T2I 


Case: 


V2 

•p  _  ...  r, 3;:Ai  h  Ma:  =  iV a;  :  ^2 
r  h  M  =  AT :  na;:Ai.  ^2 


A+  t-  Ml  =  ATi  e  lAj-J  for  A+  >  A 
A+  h  a  =  0  G  [r-1 

A+  h  {a,Mi/x)  =  {9,Ni/x)  G  [r-,a;:^il 
A+  h  (Mar) [a, Ml /a:]  =  iNx)[e,Ni/x]  G  1^3-1 
A+  h  M[a]  Ml  =  Ar[0]  Ni  G  [^2  1 
A\-  M  =  N  elA^  ^  A2} 


New  assumption 
By  weakening  (Lemma  18) 
By  definition  of  |A,  arrr] 
By  i.h.  on  V2 
By  properties  of  substitution 
By  definition  of  |ti  -5-  72] 


Case: 


V2  Vi 

r,x:Ai\-M2  =  N2:A2  T  h  Mi  =  Ni  :  Ai 

r  h  (Xx-.Ai.  M2)  Ml  =  [Ni/x]N2  :  [Mi/a:]A2 


A  h  O'  =  0  G  [r“J  Assumption 

A  h  Mi[cr]  =  Ni[6]  G  |AfJ  By  i.h.  on  Vi 

A  h  {a,Mi[a]/x)  =  {6,Ni[6]/x)  G  [r“,a;:Aj"J  By  definition  of  |0,a;:Ti| 

A  h  M2  [a,  Ml  [a] /a:]  =  N2[0,Ni[6]/x]  G  [A2I  By  i.h.  on  T>2 

A  h  [Mi[o-]/a;](M2[cr,a;/a:])  =  N2[d,Ni[6]/x]  G  [Ajj  By  properties  of  substitution 

A  h  (Aa::Ai.  M2[a,x/x])iMi[a])  =  Ni[e,Ni[e]/x]  G  {A^j 

By  closure  under  head  expansion  (Lemma  20) 
A  h  ((Aa;:Ai.  M2)Mi)[a-]  =  ([Ari/a:]Ar2)[0]  G  [Ar]  By  properties  of  substitution 

A  h  ((AacAi.  M2)Mi)[a]  =  ([iVi/a;]iV2)[0]  G  I[Mi/ar]A2-l 

By  erasure  preservation  (Lemma  13) 
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Case: 

V 

rhA^  =  M:^ 

T\-  M  =  N  :A 


A\-a  =  ee  [F-J 

A  h  0  =  CT  e  [F-j 

A  h  Ar[0]  =  M[a]  e  {A-} 

A  h  M[c7]  =  N[e]  G  i[A-| 

Assumption 
By  symmetry  (Lemma  21) 
By  i.li.  on  V' 
By  symmetry  (Lemma  21) 

Case: 

V, 

V2 

V  = 

FhM  =  0:  A 

II 

0 

j- 

Fh  M 

=  N  :A 

Aha  =  ee  [F-] 
A\-9^ae  [F-j 

A\-e  =  9e  [F-J 

A  h  M[a]  =  0[9]  G  lA-j 

A  h  0[9]  =  iV[0]  G  {A-j 

A  h  M[a]  =  A^[6>]  G  {A-j 

Assumption 
By  symmetry  (Lemma  21) 
By  transitivity  (Lemma  22) 
By  i.h.  on  V] 
By  i.h.  on  V2 
By  transitivity  (Lemma  22) 

Case: 

Vi 

V  = 

T\-M  =  N  :B 

T  \-  B  =  A  :  type 

FhM 

=  N  :A 

A  h  M[a]  =  iV[^]  G  S- 
A  h  M[c7]  =  Ar[6>]  G  A- 

By  i.h.  on  Si 
By  erasure  preservation  (Lemma  13) 

Case:  F  h  a  =  a  :  K.  As  for  constants  c. 

Case:  F  h  Ai  M2  =  Bi  N2  :  [M2/a;]/Fi.  As  for  applications  Mi  M2. 
Case: 


V=  r  h  Ai  =  Si  :  type 


T>2 

r,.T:^i  \-  A2  =  B2  :  type 


r  h  Ilx:A\.  Ai  =  IlxiBi.  B2  :  type 


A  h  Ai  [a]  =  Si  [0]  €  |type"] 

A  I-  Ai  [a]  < — ^  Si  [0]  :  type" 

A,  x-.A^  h  X  i — )•  X  :  Aj" 

AjariAj"  \-  x  =  x  E  lAfJ 

\x:A'[  h  (cTjS/x)  =  {6,x/x)  €  |F“,a::A]"J 


By  i.h.  on  Si 
By  definition  of  |type~J 
By  rule 
By  Theorem  19(3) 
By  definition  of  [0.7;:ri] 
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By  i.h.  on  T>2 
By  definition  of  ftype"] 
By  rule 

By  definition  of  [type”] 
definition  of  substitution 

Case:  Family  symmetry  rule.  As  for  the  object-level  symmetry. 

Case:  Family  transitivity  rule.  As  for  the  object-level  transitivity. 

Case:  Kind  conversion  rule.  As  for  type  conversion  rule. 


A,x:A^  h  A2[(7,xIx]  =  B2[0,xIx]  G  |type“] 

A,a:;Aj'  h  A2[cr,a:/a:]  < — >  B2[9,xlx]  :  type" 

A  h  Y[x:A]\u\.  A-zla^x/x]  i — >  lix-.BilO].  B2[6,xlx]  :  type" 

A  h  na:;Ai[cr].  A2[cr, a;/®]  i — >  na;:Bi[0].  B2[6,xlx]  €  [type“| 

A  h  (na::Ai.  A2)[cr]  i — ^  {Bx-.Bi.  B2)[6]  €  |type“l  By 


□ 


Lemma  24  (Identity  Substitutions  are  Logically  Related) 
r-  h  idr  =  idr  G  [F-]. 

Proof:  By  definition  of  |r"J  and  part  (3)  of  Lemma  19.  □ 

Theorem  25  (Definitionally  Equal  Terms  are  Logically  Related) 

1.  IfV\-  M  =  N  A  then  F"  h  M  =  AT  G  [A"]. 

£  IfV[-  A  =  B-.K  then  F"  h  A  =  B  G  [A-]. 

Proof:  Directly  by  Lemmas  23  and  24.  □ 

Corollary  26  (Completeness  of  Algorithmic  Equality) 

1.  //F  h  M  =  A  :  A  then  F"  h  M  ^  A  :  A". 

2.  //F  h  A  =  B  :  A  then  F"  h  A  B  :  A". 

Proof:  Directly  by  Theorem  25  and  Theorem  19.  □ 

5  Soundness  of  Algorithmic  Equality 

In  general,  the  algorithm  for  type-directed  equality  is  not  sound.  However,  when  applied  to  valid 
objects  of  the  same  type,  it  is  sound  and  relates  only  equal  terms.  This  direction  requires  a  number 
of  lemmas  established  in  Section  2.6,  but  is  otherwise  mostly  straightforward. 

Lemma  27  (Subject  Reduction) 

IfM^M'andVhM-.A  then  T  M' :  A  and  T  h  M  =  M'  :  A. 

Proof:  By  induction  on  the  definition  of  weak  head  reduction,  making  use  of  the  inversion  and 
substitution  lemmas. 

Case: 


>V  = 


(Aa::Ai.  M2)  Mi  ^  [Mi/x]M2 
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Assnrrii)tioii 


rh  (A.t:Ai.M2)Mi  :A 
r  h  Xx:Ai.  M2  :  HxiBi.  B2 
r  h  Ml  : 

r  h  [M]  /x]B2  =  A  :  type 

r  h  Ai  :  type 

T,x:Ai  h  M2  :  A2 

r  h  IlrriAi.  A2  =  rirri^i.  B2  :  type 

r  \-  Ai  =  Bi  :  type 

r,x:Ai  A2  =  B2  :  type 

rh  [Mi/a:]M2  :  [Mi/x]A2 

r  f-  [Mi/a;]A2  “  [Mi/a:]S2  :  type 

r  h  fMi/.TlA2  =  A  :  type 

r  h  [Mi/a;]M2  :  A 

r  h  :  type 

T^x’.Ai  h  M2  —  M2  *  A2 

r  h  Ml  =  Ml  : 

r  h  (A.'r:Ai.M2)Mi  =  [MJx]M2  :  [Mi/.t]A2 

r  h  (Aj::Ai.M2)Mi  -  [Mi/a:]M2  :  A 


By  inversion  (Leiiiina  9) 

By  inversion  (Lemma  9) 

By  injectivity  of  products  (Lemma  12) 
By  substitution  (Lemma  3) 
By  substitution  (Lemma  3) 
By  transitivity 
By  rule  (type  conversion) 
Copi(^d  from  above 
By  reflexivity 
By  reflexivity 
By  rule  (parallel  conversion) 
By  rule  (type  conversion) 


Case: 


>V  = 


Ml 


Wi 


Ml  M2 


whr 


M(  M2 


r  h  Ml  M2  :  A 
r  h  Ml  :  n.T:A2.  Ai 

r  h  M2  :  A2 

r  h  [M2/x]Ai  =  A  :  type 
r  h  M'  :  n.7;:A2.  Ai 
LhM'Ms  :  [M2/.t]Ai 
r  h  M{  M2  :  A 
r  h  Ml  -  M{  :  Ux:A2.  Ai 
r  h  M2  =  M2  :  A2 
r  h  Ml  M2  -  Mj  M2  :  [M2/.t]Ai 
r  h  Ml  M2  =  M{  M2  :  A 


Assumption 

By  inversion  (Lemma  9) 
By  i.h.  on  Wj 
By  rule  (application) 
By  rule  (type  conversion) 
By  inductive  hypothesis 
By  reflexivity 
By  rule  (simultaneous  congruence) 
By  rule  (type  conversion) 


□ 


For  the  soundness  of  algorithmic  equality  we  need  subject  reduction  and  validity  (Lemma  7). 

Theorem  28  (Soundness  of  Algorithmic  Equality) 

L  Ifr\-M:Aandr\-N:Aandr-hM^N:  A”,  then  F  h  M  -  A  :  A. 

2.  If  r  \-  M  :  A  and  r  \-  N  :  B  and  r-  h  M  ^  N  :  r,  then  FhM-A^rA,  FhA-B:  type 
and  A“  =  B~  =  r. 
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3.  IfT\-A'.K  and  T  \-  B  .  K  and  F  h  A  B  :  K  ,  then  T  h  A  —  B  :  K. 

4.  Ifr\-A-.KandT\-B:Landr-\-A^B:K,  then  T  A  =  B  :  K,  F  \-  K  =  L  :  kind 
and  K~  =  L~  —  k. 

5.  IfFFK:  kind  and  F  h  L  :  kind  and  F“  h  K  L  :  kind”  then  T  \-  K  —  L  :  kind. 

Proof:  By  induction  on  the  structure  of  the  given  derivations  for  algorithmic  equality,  using  validity 
and  inversion  on  the  typing  derivations. 

Case: 


r  = 


x:t  in  F 


T-Fx 


Fha::^ 

Assumption 

FFx:B 

Assumption 

x:C  in  F,  F  h  C  =  ^  :  type,  T  \-  C  =  B  :  type 

By  inversion  (Lemma  9) 

T  A  =  B  :  type 

By  symmetry  and  transitivity 

Fhx  =  x:C 

By  rule 

F  F  X  =  X  :  A 

By  type  conversion 

A-  =B-  =C-  =T 

By  erasure  preservation  (Lemma  13) 

:  T  ends  in  an  equality  of  constants.  Like  the  previous 

case. 

Case: 


Ti 

-y-  _  F”  h  Ml  i - >  Ni  :  T2  Ti 

T2 

r“  h  M2  N2  :  T2 

F  \~  Ml  M2  ^ — 

N1N2:  n 

F  h  Ml  M2  :  ^ 

Assumption 

F\-NiN2:B 

F  h  Ml  :  nar:^2-  Ai, 

F  h  M2  :  A2,  and 

Assumption 

F  h  [M2/x]Ai  =  A  :  type 

By  inversion  (Lemma  9) 

F  f-  na::j42.  j4i  :  type 

F  h  ^2  : type 

By  validity  (Lemma  7) 

F,  3:1^2  1“  :  type 

F  h  iVi  :  na::B2.  Bi, 

F  \~  N2  :  B2,  and 

By  inversion  (Lemma  9) 

F  F  [N2/x]Bi  =  B  :  type 

By  inversion  (Lemma  9) 

F  h  TIx:B2.  Bi  :  type 

F  h  B2 : type 

By  validity  (Lemma  7) 

F,  x:B2  F  Bi  :  type 

F  F  Ml  =  iVi  :  IIx:A2.  Au 

F  F  FI.x:A2-  Ai  =  FIx-.B2-  B\  ;  type,  and 

By  inversion 

(na::^2-  ^i)~  =  (na;:B2-  Bi)~  =  t2  -)•  n 

F  F  ^2  =  .^2  :  type  and 

By  i.h.  on  7i 
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r,  x:A2  \-  Ai  =  Bi  :  type 

r  h  iV2  :  A2 

rhM2  =  N2:A2 
r  h  Ml  M2  =  Ni  N2  :  [M2/.'T:]y4i 
r  h  Ml  M2  =  iVi  iV2  :  ^ 
r  I-  [M2/.'r]v4i  =  [N2/x]Bi  :  type 
A~  =  Ay  =  By  =  B~  =  Tl 

Case: 


By  injectivity  of  products  (Lemma  12) 
By  symmetry  and  tyjie  conversion 
By  i.h.  on  T2 
By  rule 
By  type  conversion 
By  family  functionality 
By  erasure  preservation 


ri-M:P 
ri-iV:P 
r  h  P  :  type 
r  H  M'  :  P 
T\-  M'  =  N  :P 
r  h  M  =  M'  ;  P 
Th  M  -.P 

Case:  Reduction  on  the  right-hand  side  follows  similarly. 

Case: 

5 

r- h  M  e— >  iV  :  p- 
^-  h  M  <=>  AT  :  p- 


Assumption 
Assumption 
Validity  (Lemma  7) 
By  subject  reduction  (Lemma  27) 
By  i.h.  on  T' 
By  subject  reduction  (Lemma  27) 
By  transitivity 


r  h  M  :  P 
T\-N:P 
r\-M  =  N  :P 

Case: 

T2 

q-  _  ,x\T\  \-  M  X  4=^  N  X  :  T2 

r“  f-  M  N  :  Tl  T2 


Assumption 
Assumption 
By  i.h.  on  S 


T  h  M  :Ux:Ai.  A2 
T\-  N  :Ilx:Ay.A2 
r  h  I[x:A\.  A2  :  type 
r  H  Ai  : type 
r,  x\A\  1-  A2  :  type 
=  Tl  and  =  T2 
r,  x:Ai  \-  M  X  \  A2 


Assumption 
Assumption 
By  assumption 

Inversion 

Assumption  and  definition  of  ()“ 
By  weakening  and  rule 


31 


T,x\A\  h  iV  a;  :  ^2 

T^x\A\  \-  M X  =  N X  :  A2 
r  h  : type 
r  H  M  =  AT  :  Ux-.Ai.  A2 


By  weakening  and  rule 
By  i.h.  on  T2 
By  inversion  (Lemma  9) 
By  extensionality  rule 

□ 


Corollary  29  (Logically  Related  Terms  are  Definitionally  Equal) 

Assume  F  is  valid. 

1.  IfVhM:A,VhN-.A,andV-\-M^Ne  {A-j,  then  T  h  M  =  N  :  A. 

2.  Ifr\-  A:  K,T\-  B  :  K,  andV-  A  =  B  e  {K-j,  thenTb  A  =  B  :  K. 

Proof:  Direct  from  the  assumptions  and  prior  theorems.  We  show  the  proof  for  the  first  case. 

r~  M  =  N  €  [.4“]  Assumption 

F"  h  M  N  :  A~  By  Theorem  19 

F  I-  M  =  AT ;  A  By  Theorem  28 

□ 


6  Decidability  of  Definitional  Equality  and  Type- Checking 

In  this  section  we  show  that  the  judgment  for  algorithmic  equality  constitutes  a  decision  procedure 
on  valid  terms  of  the  same  type.  This  result  is  then  lifted  to  yield  decidability  of  all  judgments  in 
the  LF  type  theory. 

The  first  step  is  to  show  that  equality  is  decidable  for  terms  that  are  algorithmically  equal 
to  themselves.  Note  that  this  property  does  not  depend  on  the  soundness  or  completeness  of 
algorithmic  equality — it  is  a  purely  syntactic  result.  The  second  step  uses  completeness  of  algorith¬ 
mic  equality  and  reflexivity  to  show  that  every  well-typed  term  is  algorithmically  equal  to  itself. 
These  two  observations,  together  with  soundness  and  completeness  of  algorithmic  equality,  yield 
the  decidability  of  definitional  equality  for  well-typed  terms. 

We  say  an  object  is  normalizing  iff  it  is  related  to  some  term  by  the  type-directed  equivalence 
algorithm.  More  precisely,  M  is  normalizing  at  simple  type  r  iff  A  h  M  4=^  M'  :  r  for  some  term 
M'.  Note  that  by  symmetry  and  transitivity  of  the  algorithms,  this  implies  that  A  h  M  <=>  M  :  r. 
A  term  M  is  structurally  normalizing  iff  it  is  related  to  some  term  by  the  structural  equivalence 
algorithm.  That  is,  M  is  structurally  normalizing  iff  A  h  M  i — >  M'  :  r  for  some  M'.  A  similar 
definition  applies  to  families  and  kinds.  Equality  is  decidable  on  normalizing  terms. 

Lemma  30  (Decidability  for  Normalizing  Terms) 

L  //  A  h  M  M'  :  r  and  A  h  TV  N'  :  r  then  it  is  decidable  whether  A  h  M  <^=4^  N  :  r. 

2.  //  A  h  M  < — >  M'  :  Ti  and  A  h  AT  < — >  AT'  :  ri  then  it  is  decidable  whether  A  h  M  < — N  :  rs 
for  some  ra. 

5.  If  A\-  A  4=^  A'  :  K  and  A\-  B  B'  :  n  then  it  is  decidable  whether  A\-  A  B  :  n. 

4.  If  A\-  A  < — >  A'  :  Ki  and  A\-  B  < — >  B^  :  Hi2  I'hen  it  is  decidable  whether  A  h  A  < — >  B  :  ks 
for  some 
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5.  IfA\-K 
L  :  kind“. 


jRT'  :  kind  and  A  h  L 


L'  :  kind  then  it  is  decidable  whether  A\~K 


Proof:  We  only  sketch  the  proof  of  the  first  two  properties— the  others  are  similar.  First  note 
that  A  h  M  :  T  iff  A  h  N  :  r  if[  A  \-  M  :  r  iff  A  h  M'  N'  :  r,  so 

decidability  of  one  implies  decidability  of  the  others  with  equal  results.  Given  this  observation,  w(^ 
prove  parts  (1)  and  (2)  by  simultaneous  structural  inductions  on  the  given  derivations.  The  critical 
lemma  is  the  determinacy  of  algorithmic  equality  (Lemma  15).  □ 

Now  we  can  show  decidability  of  equality  via  reflcxivity  and  completeness  of  algorithmic  equality. 

Theorem  31  (Decidability  of  Algorithmic  Equality)  Assnme  F  is  valixL 

1.  IfT\-M:A  and  F  h  AT  :  A  then  it  is  decidable  tvhether  F"  h  M  N  :  A~ . 

2.  Ifr\-A:K  and  T  \-  B  :  K  then  it  is  decidable  whether  T~  \-  A  B  :  K~ , 

3.  IfV\-K:  kind  and  F  h  L  :  kind  then  it  is  decidable  whether  r~  \-  K  L  :  kind“. 

Proof:  We  show  only  the  proof  of  part  (1)  since  the  others  are  analogous. 

By  reflexivity  of  definitional  equality  (Lemma  2)  and  the  completeness  of  algorithmic  equality 
(Corollary  26),  both  M  and  N  are  normalizing.  Hence  by  Lemma  30,  algorithmic  equivalence  is 
decidable.  □ 

Corollary  32  (Decidability  of  Definitional  Equality)  Assum,e  F  is  valid. 

1.  //  F  h  M  :  A  and  T  \-  N  :  A  then  it  is  decidable  whether  F  h  M  =  A  :  A. 

2.  IfT\~A\K  and  T  \-  B  :  K  then  it  is  decidable  whether  T  \~  A  =  B  :  K . 

3.  IfT\-K\  kind  and  F  h  L  :  kind  then  it  is  decidable  whether  V  \-  K  =  L  :  K. 

Proof:  By  soundness  and  completeness  it  suffices  to  check  algorithmic  equality  which  is  decidable 
by  Theorem  31.  □ 

We  now  present  an  algorithmic  version  of  type-checking  that  uses  algorithmic  equality  as  an 
auxiliary  judgment.  This  is  a  purely  bottom-up  type-checker;  more  complicated  strategies  can  also 
be  justified  with  our  results,  hut  are  beyond  the  scope  of  this  paper. 

Objects 

x:A  in  F  c:A  in  E 

r  h  X  A  T  \-  c  A 

F  h  Ml  =>  Ux:A2'  ^1  r  h  M2  ^  A2  F  h  A2  ^2  •  type 
F  h  Ml  M2  =>  [M2/x]Ai 
F  h  i4i  type  F,  x:Ai  h  M2  ^  A2 
F  \~  Xx:Ai.  M2  =>  Ilx:Ai.  A2 


33 


Families 


o  if  in  E 

rho=^iC 

T\-A=^  Ux:B'.  K  T  ^  B'  ^  B  :  type 

T\-  AM  =^[M/x]K 
r  h  type  r,  x:Ai  h  ^2  type 

r  I-  Ux'.Ai.  A2  =>  type 


Kinds 


r  h  type  r,  x:A  h  K  =>  kind 
r  h  type  =>  kind  F  h  Il.x:A.  K  kind 

Similar  rules  exist  for  checking  validity  of  signatures  and  contexts. 

Lemma  33  (Correctness  of  Algorithmic  Type-Checking)  Assume  F  is  valid. 

1.  (Soundness)  IfT\-M=^A  then  F  h  M  :  A. 

2.  ( Completeness)  IfVhM  :  A  then  T  M  ^  A'  for  some  A!  such  that  F  h  A  =  A' :  type. 

Proof:  Part  1  follows  by  induction  on  the  structure  of  the  algorithmic  derivation,  using  validity 
(Theorem  7),  soundness  of  algorithmic  equality  (Theorem  28)  and  the  rule  of  type  conversion. 

Part  2  follows  by  induction  on  the  structure  of  the  typing  derivation,  using  transitivity  of 
equality,  inversion  on  type  equality,  and  completeness  of  algorithmic  equality.  □ 

Theorem  34  (Decidability  of  Type- Checking) 

1.  It  is  decidable  ifT  is  valid. 

2.  Given  a  valid  F,  M,  and  A,  it  is  decidable  whether  F  I-  M  :  A. 

3.  Given  a  valid  F,  A,  and  K,  it  is  decidable  whether  F  h  A  :  iF. 

4.  Given  a  valid  F  and  K,  it  is  decidable  whether  F  h  IF  :  kind. 

Proof:  Since  the  algorithmic  typing  rules  are  syntax-directed  and  algorithmic  equality  is  decidable 
(Theorem  32),  there  either  exists  a  unique  A'  such  that  F  h  M  A'  or  there  is  no  such  A'.  By 
correctness  of  algorithmic  type-checking  we  then  have  FhM  :AilfFI-A'  =  A:  type,  which  can 
be  decided  by  checking  F~  h  A'  A  :  type.  □ 

The  correctness  of  algorithmic  type-checking  also  allows  us  to  show  strengthening,  and  a  stronger 
form  of  the  extensionality  rule. 

Theorem  35  (Strengthening)  For  each  judgment  J  of  the  type  theory,  if  T,x:A,T'  h  J  and 
X  ^  FP(r)  U  FF( J),  then  F,  F'  h  J. 
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Proof:  Strengthening  for  the  algorithmic  version  of  type-checking  follows  by  a  simple  structnral 
induction,  taking  advantage  of  strengthening  for  algorithmic  equality  (Lemma  14).  Strengthening 
for  the  original  typing  rules  then  follows  by  soundness  and  completeness  of  algorithmic  typing. 
Strengthening  for  equality  judgments  follows  from  completeness  (Corollary  2C),  soundness  (Theo¬ 
rem  28),  and  strengthening  for  the  typing  judgment.  □ 

Corollary  36  (Strong  Extensionality)  The  typing  premises  for  M  and  N  in  the  extern, simiality 
rule  are  redundant.  That  is,  the  following  strong  form,  of  extensionality  is  admissible: 

T  \-  Ai  :  type  T,x:A]  h  Mr?:  —  N  x  :  A^ 

Th  M  =  N  :Ux:Ai.  A2 

Proof:  By  inversion  and  strengthening. 

r,x:Ai  Mx  :  A2 
T,x:Ai  h  M  :  Ux:Bi.  ^2, 
r,x:Ai  \-  X  :  Bi,  and  r,x:Ai  \~  B2  =  A2  :  type 
T  \-  Ai  —  Bi  :  type 
r  h  UxiBi.  B2  =  UxiAi.  A2  :  type 
T,x:Ai  h  M  :  Ux.Ai.  A2 
Fh  M  :Ux:Ai.A2 
Fh  N  :Ux:A^.A2 
F\-  M  =  N  :Ux:Ai.  A2 

□ 


By  validity 

By  inversion  (Lemma  9) 
By  inversion  and  strengthening 

By  rule 

By  rule  (type  conversion) 
By  strengthening 
Similarly 
By  extensionality 


7  Quasi- Canonical  Forms 

The  representation  techniques  of  LF  mostly  rely  on  compositional  bijections  between  the  expressions 
(including  terms,  formulas,  deductions,  etc.)  of  the  object  language  and  canoriical  forms  in  a  meta¬ 
language,  where  canonical  forms  are  ry-long  and  /3-normal  forms.  So  if  we  are  presented  with  an  LF 
object  M  of  a  given  type  A  and  we  want  to  know  which  object-language  expression  M  represents, 
we  convert  it  to  canonical  form  and  apply  the  inverse  of  the  representation  function. 

This  leads  to  the  question  on  how  to  compute  the  canonical  form  of  a  well- typed  object  M  of  type 
A  in  an  appropriate  context  F.  Generally,  we  would  like  to  extract  this  information  from  a  derivation 
that  witnesses  that  M  is  normalizing,  that  is,  a  derivation  that  shows  that  M  is  algorithmically 
equal  to  itself.  This  idea  cannot  be  applied  directly  in  our  situation,  since  a  derivation  F”  h  M 
M  :  A~  yields  no  information  on  the  type  labels  of  the  A-abstractions  in  M.  Fortunately,  these  turn 
out  to  be  irrelevant:  if  we  have  an  object  M  of  a  given  type  A  which  is  in  canonical  form,  possibly 
with  the  exception  of  some  type  labels,  then  the  type  labels  are  actually  uniquely  determined  u]) 
to  definitional  equality. 

We  formalize  this  intuition  by  defining  quasi-canonical  forms  (and  the  auxiliary  notion  of  quasi- 
atomic  forms)  in  which  type-labels  have  been  deleted.  A  quasi-canonical  form  can  easily  be  extract 
from  a  derivation  that  shows  that  a  term  is  normalizing.  Quasi-canonical  forms  are  sufficient  to 
prove  adequacy  theorems  for  the  representation,  since  the  global  type  of  a  quasi-canonical  form  is 
sufficient  to  extract  an  LF  object  unique  up  to  definitional  equality  applied  to  type  labels.  The  set 
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of  quasi- canonical  (QC)  and  quasi-atomic  (QA)  terms  are  defined  by  the  following  grammar: 

Quasi-canonical  objects  M  ::=  M  \  Xx.  M 
Quasi-atomic  objects  M  ::=  x  \  c  \  M  M 


It  is  a  simple  matter  to  instrument  the  algorithmic  equality  relations  to  extra  a  common  quasi- 
canonical  or  quasi-atomic  form  for  the  terms  being  compared.  Note  that  only  one  quasi-canonical 
form  need  be  extracted  since  two  terms  are  algorithmically  equivalent  iff  they  have  the  same  quasi- 
canonical  form.  The  instrumented  rules  are  as  follows: 

Instrumented  Type-Directed  Object  Equality 

M^M'  AhM'4=>7V:a^d  N  ^  N'  AhM4=^iV':atO 

A\~M  N  :  a  O 
A,  x:ri  \~  M  X  N  x  :  r2  O 
A  h  M  N  :  Ti  T2  it  Xx.  O 

Instrumented  Structural  Object  Equality 

x:r  in  A  c:A  in  S 

Aha:  ^  X  :r  lx  A  h  c  c  :  ^4”  |  c 

A  h  Ml  < — >  Ni  :  T2  Ti  I  Oi  A  h  M2  N2  :  T2  ft'  O2 
A  h  Ml  M2  ^ — y  Ni  N2  •  'T’l  4'  Oi  O2 

It  follows  from  the  foregoing  development  that  every  well-formed  term  has  a  unique  quasi- 
canonical  form.  We  now  have  the  following  theorem  relating  quasi-canonical  forms  to  the  usual 
development  of  the  LF  type  theory.  We  write  \M\  for  the  result  of  erasing  the  type  labels  from  an 
object  M. 

Theorem  37  (Quasi- Canonical  and  Quasi- Atomic  Forms) 

1.  If  T  \-  Ml  :  A  and  T  h  M2  :  A  and  T~  h  Mi  M2  :  A~  ft'  O,  then  there  is  an  N  such 
that  |iV|  =  Oj  r  h  iV  :  A,  r  h  Mi  ~  N  :  A  and  F  h  M2  =  N  :  A  and  this  N  is  unique  up  to 
definitional  equality. 

2.  If  T  \-  Ml  :  Ai  and  T  h  M2  '  A2  and  r~  h  Mi  < — >  Mi  :  r  it  O  then  T  \~  Ai  =  A2  :  type, 
A~  =  B~  =  r  and  there  exists  an  N  such  that  |iV|  =  O,  F  h  iV  :  A,  F  h  Mi  —  N  :  A  and 
F  h  M2  —  AT  :  A  and  this  N  is  unique  up  to  definitional  equality. 

Proof:  By  simultaneous  induction  on  the  instrumented  equality  derivations.  It  is  critical  that  we 
have  the  types  of  the  objects  that  are  compared  (and  not  just  the  approximate  type)  so  that  we 
can  use  this  information  to  fill  in  the  missing  A-labels.  □ 

Note  that  the  uniqueness  of  N  up  to  definitional  equality  affects  only  the  type  labels,  since  O 
determines  N  in  all  other  respects.  This  result  shows  that  all  adequacy  proofs  for  LF  representation 
on  canonical  forms  still  hold.  In  fact,  they  can  be  carried  out  directly  on  quasi-canonical  forms. 


A\-  M  N  :  O'  it  O 
M  :alO 
M  N  :  a  it  O 
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We  can  also  directly  state  and  prove  prove  adequacy  theorems  for  encodings  of  logical  systems 
in  LF  using  quasi-canonical  forms.  It  is  interesting  to  observe  that  the  type  labels  on  A’s  are  not 
necessary  for  this  purpose;  in  an  adequacy  theorem,  the  type  of  the  bound  varia])le  is  determined 
from  context.  For  example,  the  following  relation  sets  up  a  compositional  (natural)  bijection 
between  (a)  terms  and  formulas  of  first-order  logic  over  a  given  first-order  signature  and  (b)  quasi- 
canonical  forms  of  types  i  and  o,  respectively,  in  the  signature  of  first-order  logic.  We  only  show 
an  excerpt,  illustrating  the  idea  over  the  signature 

Cj  !  i  — )■  •  •  *  — ^  i 

c~  :  i  ^  i  o 
C/\  I  o  — ^  o  — ^  o 
Cy  ;  (t  — ^  o)  — ^  0 

Let  r  be  a  context  of  the  form  xi for  some  n  >  0.  A  correspondence  relation  between 
terms  and  formulas  with  (free)  variables  among  the  x\,. . .  , x^^  and  quasi-canonical  objects  of  type 
i  and  o,  respectively,  over  that  signature  and  context  may  be  defined  as  follows: 


r  h  a:  X  :  i 

T  \~  ti  Ml  :  L  ...  T  \~  tn  Mji  i  r  h  M\  \  l  F  h  ^2  -^2  * 

r  b  /(^i, . . .  ,  tji)  cj  Ml  . . .  Mjj  •  ^  F  h  ti=t2  c=  Ml  M2  •  o 

T  }r  (pi  Ml  :  o  F  h  02  M2  •  o 

F  b  01  A  02  Ca  ^1  ^2  :  o 

F,  x:i  b  0  M  :  o 
F  b  Wx.  0  cv  {Xx.  M)  :  o 

Theorem  38  (Adequacy  for  Syntax  of  First-Order  Logic)  Let  F  be  a  context  of  the  form 
xi  :  .  ^Xn  •  t  for  some  n  >0. 

1.  The  relation  F  b  t  M  :  t  is  a  compositional  bijection  between  terms  t  of  first- ord.er  logic 
over  variables  rri, . . .  ^x^  and  quasi-canonical  form,s  M  of  type  i  relative  to  F. 

2,  The  relaiion  V  \-  (p  ^  M  :  o  is  a  compositional  bijection  between  formulas  0  with  free 
variables  among  xi^ ...  ^Xn  and  quasi-canonical  forms  M  of  type  o  relative  to  F. 

Proof:  We  establish  by  induction  over  the  t  and  0  that  for  every  term  t  and  formula  0  there  exist  a 
unique  M  and  N  and  derivations  of  F  h  M  :  l  and  F  b  0  ^  TV  :  o,  respectively.  Similarly,  we 
show  that  for  a  quasi-canonical  M  and  TV  at  type  t  and  o,  respectively,  there  exists  unique  related 
t  and  0.  This  establishes  a  bijection.  To  see  that  it  is  compositional  we  use  an  induction  over  the 
structure  of  terms  t  and  formulas  0.  □ 

Adequacy  at  the  level  of  derivations  can  be  established  by  analogous  means. 
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8  Conclusions 


We  have  presented  a  new,  type-directed  algorithm  for  definitional  equality  in  the  LF  type  theory. 
This  algorithm  improves  on  previous  accounts  by  avoiding  consideration  of  reduction  and  its  as¬ 
sociated  meta-theory  and  by  providing  a  practical  method  for  testing  definitional  equality  in  an 
implementation.  The  algorithm  also  yields  a  notion  of  canonical  form,  which  we  call  quasi-canonical, 
that  is  suitable  for  proving  the  adequacy  of  encodings  in  a  logical  framework.  The  omission  of  type 
labels  presents  no  difficulties  for  the  methodology  of  LF,  essentially  because  abstractions  arise  only 
in  contexts  where  the  domain  type  is  known.  The  formulation  of  the  algorithm  and  its  proof  of 
correctness  relies  on  the  “shapes”  of  types,  from  which  dependencies  on  terms  have  been  eliminated. 

Surprisingly,  it  was  the  soundness  proof  for  the  algorithm,  and  not  its  completeness  proof,  that 
presented  some  technical  difficulties.  In  particular,  we  have  eliminated  family-level  A-abs  tract  ions 
from  our  formulation  of  the  type  theory  in  order  to  prove  injectivity  of  products  syntactically. 

The  type-directed  approach  scales  to  richer  languages  such  as  those  with  unit  types,  precisely 
because  it  makes  use  of  type  information  during  comparison.  For  example,  one  expects  that  any 
two  variables  of  unit  type  are  equal,  even  though  they  are  structurally  distinct  head  normal  forms. 
A  similar  approach  is  used  by  Stone  and  Harper  [SHOO]  to  study  a  dependent  type  theory  with 
singleton  kinds  and  subkinding.  There  it  is  impossible  to  eliminate  dependencies,  resulting  in 
a  substantially  more  complex  correctness  proof,  largely  because  of  the  loss  of  symmetry  in  the 
presence  of  dependencies.  Nevertheless,  the  fundamental  method  is  the  same,  and  results  in  a 
practical  approach  to  checking  definitional  equality  for  a  rich  type  theory. 

A  major  open  question  is  if  our  technique  be  extended  to  handle  the  full  Calculus  of  Construc¬ 
tions.  We  require  injectivity  of  products  rather  early,  which  would  seem  to  be  difficult  to  attain. 
Furthermore,  long  normal  forms,  while  still  cleanly  definable  [DHW93],  are  not  stable  under  sub¬ 
stitutions  which  complicates  the  type-directed  equality  algorithm. 

Acknowledgments.  We  are  grateful  to  Chris  Stone  for  improving  the  treatment  of  family  func¬ 
tionality,  and  to  Karl  Crary  for  several  comments  and  corrections  to  an  earlier  draft  of  this  paper. 
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